Splunk Search

Can you help me with a regex expression(multiple in one query)?

JoshuaJohn
Contributor

Trying to capture multiple groups, basically after the colon

MacAddress                : 7A:AA:82:31:24:B1
Manufacturer              : VENDOR
Username                  : SC32131BN_user
IPNET                     : 11.412.111.
PasswordExpires           : 11/24/2018 3:44:48 PM
Version                   : CCCS   - 1423209
PhysicalDriveSpace        : 19.620432424279
TotalRAM                  : 3.84324242539
DHCPLeaseExpires          : 20432424324215.000000-300
DHCPServer                : 11.12.234.61
SID                       : S-1-5-21-432233414-414324275-1810497902-1001

The name would be the field on the left.

I tried something like this: | rex "MacAddress\s+:\s(?P[^\n]) | Manufacturer\s+:\s)(?P[^\n])" but it doesn't appear to be giving me anything.

0 Karma

KailA
Contributor

Hi,

If this in only one event, like a multivalue field, I may have a solution for you :

  1. Replace every : by =
    | rex field=yourfield mode=sed "s/:/=/"

  2. Rename your field as _raw
    |rename yourfield as _raw

  3. Use KV function
    | KV


Edit :

Working example :

| makeresults 
| eval data="MacAddress                : 7A:AA:82:31:24:B1,Manufacturer              : VENDOR,Username                  : SC32131BN_user,IPNET                     : 11.412.111.,PasswordExpires           : 11/24/2018 3:44:48 PM,Version                   : CCCS   - 1423209,PhysicalDriveSpace        : 19.620432424279,TotalRAM                  : 3.84324242539,DHCPLeaseExpires          : 20432424324215.000000-300,DHCPServer                : 11.12.234.61,SID                       : S-1-5-21-432233414-414324275-1810497902-1001"
| eval data = split(data,",")
| rex field=data mode=sed "s/:/=/"
| rename data as _raw
| KV
0 Karma

493669
Super Champion

Try this :
props.conf -

[<yoursourcetypename>]
REPORT-xmlext = xml-extr

Transforms.conf -

[xml-extr]
REGEX =(\w+)\s*:\s([^\r\n]+)
FORMAT = $1::$2
MV_ADD = true
REPEAT_MATCH = true

It will extract fields at index time

0 Karma

JoshuaJohn
Contributor

Unfortunately do not have access to edit props.conf

0 Karma

493669
Super Champion

then try this in query:

...| extract kvdelim=":" pairdelim="\n"
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...