i have key words like project, plan ,lease
now if any file name if these key word hits i need to find which keywords have hitted. if my file mane is Project_plan gamil.doc then keywords hitted are project and plan.
MY query is like
mysearch | rex field=source "(?
but when i am writing like
mysearch | rex field=source "(?
its not working as the column found_project is only containing Plan or project not those two field together for Project_plan gamil.doc but i want my found_project column contain data like Project,plan
as two key words have been hit.
In java scripts there is one coomand a=string.match(regex);a cloumn will contain all the data that match with regex.I want to do the same with splunk. Can anyone help in this regards.
Doesn't using max_match do the trick?
... | fields source | rex field=file max_match=999999 "(?<found_project>(?i)(project|plan|lease|someotherterm))" | table _time found_project source
can nomv help on this requirement??
project_plan_project.doc project
plan
thjanks for ur help.I thought about mv expand but it was coming as
project_plan_project.doc project
project_plan_project.doc plan
but my final table will be like
project_plan_project.doc project
plan
that is found_project at last will be multivalued filed
only project will come once.
Is there any query in Splunk for this ?
... | fields source | rex field=file max_match=999999 "(?
if my file name is project_plan_project.doc
then under found project plan is coming twice like
Plan
Project
project
Is there any slution so that project come only once i used dedup but it wont wok. Can u help me?
You could try the following:
Define your rex:
mysearch | rex field=source "(?<found_project>(?i)(project))"
Create a "match" field:
..| eval match=1
Create a lookup with your keywords and the match column, e.g. for keywords.csv (this will need to be set up on server side):
match,keyword
1,plan
1,lease
I've taken project out as you have already extracted this in the field, so you could always add it back in as another row.
Perform a lookup on the match field to add in your values:
..|lookup keywords match output keyword
This should add all the values to your events, so expand them out:
..|mvexpand keyword
Then filter out any matching events:
..| where match(keyword,found_project)
I have not tested this, but I have used similar solutions before when looking for keywords.
Hope this helps.
If you extract the found_project
field and project_plan.doc
is one of the values for that field. The match will exclude any events that do not match the keyword, other than that I'm not sure I understand the question...
in which way i will pass the file name
Project_plan.doc because i have to match with filename whether this key words are present in file name or not to lookup query?Can u help once more please