REX separator in search string

p_basanth · ‎03-13-2013

I have 2 separate rex extractions. Both work fine individually. I need to combine both these rex's into single search without using |What is the seperator/delimter for multiple rex in single search

case1 : working fine
|rex extraction1
|rex extraction2

case 2: not working
|rex extraction1, extraction2
|rex (extraction1)(extraction2)
|rex extraction1 extraction2

starcher · ‎03-15-2013

I usually move my rex extractions to props and transforms once I have them working and if I need them in an ongoing basis. There is no real reason you have to try and combine them into one.

Here is an example where I have syslog from pgp management appliance. Broken out using multiple extracts.

From PROPS.CONF:

[syslog_pgp]
CHECK_FOR_HEADER = 0
SHOULD_LINEMERGE = TRUE
REPORT-uabPGP=pgpclient-extract,pgpuser-extract,pgpdisk-extract,pgpmachine-extract,pgpsrc-    extract-1,pgpsrc-extract-2
pulldown_type = false

Then the stanzas from TRANSFORMS.CONF

[pgpclient-extract]
REGEX = (?:CLIENT-)(?P<client>\d{5})

[pgpuser-extract]
REGEX = (?i: [\[]{0,1}User )(?P<user>[^ \]]+)

[pgpuser-extract-2]
REGEX = (?:attempt for Administrator \")(?P<user>[^ \"]+)

[pgpdisk-extract]
REGEX = (?: on disk )(?P<disk>.+)(?: on )

[pgpmachine-extract]
REGEX = (?: on machine )(?P<machine>[^ ]+)

[pgpsrc-extract-1]
REGEX = (?: from \[)(?P<src_ip>[^\]]+)

[pgpsrc-extract-2]
REGEX = (?: connection from )(?P<src_ip>[^ ]+)

martin_mueller · ‎03-13-2013

You could put both in props.conf/transforms.conf.

Ayn · ‎03-13-2013

Why would you need to combine them? Just keeping them separate is easiest and least confusing.

REX separator in search string

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor