Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Help with regex with two different type events

vrmandadi
Builder
‎09-05-2019 07:17 AM

Hello I have the below sample events
Thu Sep 5 10:00:02 EDT 2019 XDB EXPIRED & LOCKED 28-SEP-11 CTXAPP

Thu Sep 5 10:00:02 EDT 2019 VWEinsnte3345 LOCKED GPW_READ
Thu Sep 5 10:00:02 EDT 2019 SK_RYT LOCKED(TIMED) CDS_SELECT_ALL

I want to extract XDB , VWEinsnte3345 ,SK_RYT AS USERNAME and EXPIRED & LOCKED , LOCKED , LOCKED(TIMED) as status , 28-SEP-11 as expiry date(this field is not there for all events) and CTXAPP , GPW_READ , CDS_SELECT_ALL as ROLE

Below is the regex I am using but this is only extracting for event 2 

EDT\s\d*\s(?<USERNAME>[^\s]+)\s*(?<STATUS>[^ ]+)\s*(?<ROLE>[^ ]+)

Thanks in advance

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎09-05-2019 07:37 AM

Hi vrmandadi,
you could try to use two regexes to extract fields:

| rex "EDT\s\d*\s(?<USERNAME>[^\s]+)\s*(?<STATUS>.*)\s+(?<ROLE>[^ ]+)$"
| rex field=STATUS "(?<STATUS1>.*)\s+(?<expity_date>\d+-\w+-\d+)"
| eval STATUS=coalesce(STATUS1, STATUS)

The second regex runs with events with expiry date and the second one with events without it.
You can test the first regex in https://regex101.com/r/oNrmd0/1 and the second one in https://regex101.com/r/oNrmd0/2

Bye.
Giuseppe

View solution in original post

Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎09-05-2019 07:37 AM

Hi vrmandadi,
you could try to use two regexes to extract fields:

| rex "EDT\s\d*\s(?<USERNAME>[^\s]+)\s*(?<STATUS>.*)\s+(?<ROLE>[^ ]+)$"
| rex field=STATUS "(?<STATUS1>.*)\s+(?<expity_date>\d+-\w+-\d+)"
| eval STATUS=coalesce(STATUS1, STATUS)

The second regex runs with events with expiry date and the second one with events without it.
You can test the first regex in https://regex101.com/r/oNrmd0/1 and the second one in https://regex101.com/r/oNrmd0/2

Bye.
Giuseppe

Reply
Solved! Jump to solution

vrmandadi
Builder
‎09-06-2019 10:45 AM

Thanks Much

0 Karma
Reply
Solved! Jump to solution

DalJeanis
Legend
‎09-05-2019 07:27 AM

Try this

EDT\s\d*\s(?<USERNAME>[^\s]+)\s*(?<STATUS>\w+( & \w+)?)\s*(?<EXPIRY>\d+-[A-Z]+-\d+)?\s*(?<ROLE>[A-Za-z0-9_-]+)

regex101.com is your friend.

https://regex101.com/r/ojcpz7/1

0 Karma
Reply
Solved! Jump to solution

vrmandadi
Builder
‎09-05-2019 07:35 AM

Hello @DalJeanis I tried your regex but it did not work .I did try that in regex101 but it is not capturing everything for EXPIRY the values are 28-SEP-1 and ROLE has 1 which should be 28-SEP-11 and CTXAPP respectively .
The same with event 2 the status has value LOCKE and ROLE has D

0 Karma
Reply
Solved! Jump to solution

mayurr98
Super Champion
‎09-05-2019 08:25 AM

is that your entire event? if not then could pls share the entire event?

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...