REX separator in search string

p_basanth · ‎03-13-2013

I have 2 separate rex extractions. Both work fine individually. I need to combine both these rex's into single search without using |What is the seperator/delimter for multiple rex in single search

case1 : working fine
|rex extraction1
|rex extraction2

case 2: not working
|rex extraction1, extraction2
|rex (extraction1)(extraction2)
|rex extraction1 extraction2

starcher · ‎03-15-2013

I usually move my rex extractions to props and transforms once I have them working and if I need them in an ongoing basis. There is no real reason you have to try and combine them into one.

Here is an example where I have syslog from pgp management appliance. Broken out using multiple extracts.

From PROPS.CONF:

[syslog_pgp]
CHECK_FOR_HEADER = 0
SHOULD_LINEMERGE = TRUE
REPORT-uabPGP=pgpclient-extract,pgpuser-extract,pgpdisk-extract,pgpmachine-extract,pgpsrc-    extract-1,pgpsrc-extract-2
pulldown_type = false

Then the stanzas from TRANSFORMS.CONF

[pgpclient-extract]
REGEX = (?:CLIENT-)(?P<client>\d{5})

[pgpuser-extract]
REGEX = (?i: [\[]{0,1}User )(?P<user>[^ \]]+)

[pgpuser-extract-2]
REGEX = (?:attempt for Administrator \")(?P<user>[^ \"]+)

[pgpdisk-extract]
REGEX = (?: on disk )(?P<disk>.+)(?: on )

[pgpmachine-extract]
REGEX = (?: on machine )(?P<machine>[^ ]+)

[pgpsrc-extract-1]
REGEX = (?: from \[)(?P<src_ip>[^\]]+)

[pgpsrc-extract-2]
REGEX = (?: connection from )(?P<src_ip>[^ ]+)

martin_mueller · ‎03-13-2013

You could put both in props.conf/transforms.conf.

Ayn · ‎03-13-2013

Why would you need to combine them? Just keeping them separate is easiest and least confusing.

REX separator in search string

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

New in Observability Cloud - Explicit Bucket Histograms