Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

'AND' operator in Regular Expressions

Michael_Schyma1
Contributor
‎11-26-2012 06:14 AM

I am trying to only select the data that has Directory Administrators OR Master Web Resource Admins AND I want that data to have MOD in it. So the main part that i am missing here is what operator says AND in regular expressions and send all other data to nullQueue. The pipe between Master Web Resource Admins and the selection of the three numbers is wrong. I need to figure out how to get something that says AND in there. 

#CID_LDAP
[setnullldap]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

[setparsingldap]
REGEX = (?:Directory Administrators)|(?:Master Web Resource Admins)|([0-9][0-9][0-9]\s+(:?MOD)\W+)
DEST_KEY = queue
FORMAT = indexQueue

Below is an example of the raw data that is being passed into Splunk:

[19/Nov/2012:11:37:10 -0500] conn=8813 op=416 MOD dn="obname=201211104775926,obname=20121011230424,obapp=PSC,o=Oblix,o=scope"

[19/Nov/2012:11:37:10 -0500] conn=8813 op=416 RESULT err=0 tag=103 nentries=0 etime=0 csn=50aa60ef00000

[19/Nov/2012:11:37:10 -0500] conn=883 op=417 SRCH base="obapp=PSC,o=Oblix,o=scope" scope=1 filter="(objectClass=oblixGSN)" attrs="obSeqNo"

[19/Nov/2012:11:37:10 -0500] conn=8813 op=417 RESULT err=0 tag=101 nentries=1 etime=0 Directory Administrators
Tags (1)
0 Karma
Reply

yannK
Splunk Employee
Splunk Employee
‎08-29-2014 12:07 PM

You can an OR condition in REGEX
REGEX = {something|differentthing)

Or you can use multiple successive transforms to send to the parsing queue.


[myldapsourcetype]
TRANSFORMS-filterevents = setnullldap, setparsingldap_admin, setparsingldap_mod

0 Karma
Reply

wpreston
Motivator
‎11-26-2012 07:44 AM

Would something like this work for you?

op=(?<Feild1>\d+)\sMOD\s.*(?:o=\sDirectory\sAdministrators|o=\sMaster\sWeb\sResource\sAdmins)

I'm using a capturing group for the digits and a non capturing group for the Admins search, but it's simple to change that to a capturing group if need to use it for field extraction. Also, I'm not sure if the space in front of Directory Administrators (and by extension: Master Web Resource Admins) is intentional or not, so please remove it if it shouldn't be there.

Reply

Michael_Schyma1
Contributor
‎11-26-2012 06:48 AM

[19/Nov/2012:11:37:10 -0500] conn=8813713 op=416 MOD dn="obname=20121119T09404775926,obname=20121010T07001230424,obapp=PSC,o=Oblix,o= Directory Administrators"

MOD will come first. If any additional information is needed, just let me know. Thank you so much

0 Karma
Reply

sowings
Splunk Employee
Splunk Employee
‎11-26-2012 06:42 AM

Can you provide a sample line that should be indexed? That is, it matches your stated criteria? The key bit will be the relative position of your selection strings vs. the MOD string (whether it comes before or after...).

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...