Splunk Search

How to search from last occurrence of a string

benuantony
New Member

Hello Experts,

I am trying to read the text from the last square bracket (which is TestModelCompany,en_US)

21:11:31,367 INFO  [TestBenuLogger] [155.56.208.68] [716057]  [-] [TestModelCompany,en_US] No 1 XX_TimeStep="10" XX_TimeQuery="10" XX_HTTPSession="1398708550-1911P0" XX_QuerySession="null" XX_TimeStamp="2020-02-09T20:11:31.358Z-PY" XX_Company="Model Company" XX_QueryMode="STANDARD" XX_Agent="Model"

Starting Model API :
Mode       : Standard
Query Operation : QUERY
Company         : Model Company
New Snapshot Calculation 

I wrote a regular expression to extract the content from last bracket,

(?<=\[)[^\[\]]*(?=][^\[\]]+$)

It works well. However I am unable to integrate it in the splunk,

This is my existing splunk query,

sourcetype=text XX_Company="*" last_modified_on index="*_test_application" | rex field=_raw "last_modified_on.*?to_datetime\('(?<lmo_date>.*?):\d\d\w\'"  | eval lmo_date_converted=strptime(lmo_date,"%Y-%m-%dT%H:%M") |  eval daysDiff=(_time-lmo_date_converted)/86400 | rex field=_raw "(?<name><=\[)[^\[\]]*(?=][^\[\]]+$)"  | where daysDiff > 90  | stats avg(daysDiff) as "Last Modified On averege days in past", max(daysDiff) as "Max Value Of Last Modified On"  by  XX_Company XX_Mode | sort -"Last Modified On averege days in past"

This is a working splunk query. With this, I would like to display the content from the last bracket as a column. Could you guide?

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Give this a try

sourcetype=text XX_Company="*" last_modified_on index="*_test_application" | rex field=_raw "last_modified_on.*?to_datetime\('(?<lmo_date>.*?):\d\d\w\'"  | eval lmo_date_converted=strptime(lmo_date,"%Y-%m-%dT%H:%M") |  eval daysDiff=(_time-lmo_date_converted)/86400  | where daysDiff > 90 | rex field=_raw "^([^\[]+\[){5}(?<name>[^\]]+)"   | stats avg(daysDiff) as "Last Modified On averege days in past", max(daysDiff) as "Max Value Of Last Modified On"  by  XX_Company XX_Mode name | sort -"Last Modified On averege days in past"
0 Karma

benuantony
New Member

any idea?

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Is the log format constant? If yes, the name you're trying to extract is 5th [...] element. Extract that base on number and add name to your stats-by clause.

0 Karma

to4kawa
Ultra Champion
| stats values(name) as name avg(daysDiff) as "Last Modified On averege days in past", max(daysDiff) as "Max Value Of Last Modified On"  by  XX_Company XX_Mode

I fix stats .

0 Karma

benuantony
New Member

I just need to add a new column with my regex. The stats is already working well

The regular expression to extract the content from last bracket is this,

(?<=[)[^[]]*(?=][^[]]+$)

How to add this in rex & show it as a column with existing query?

0 Karma

to4kawa
Ultra Champion

Do you try my last answer? name value is appeared.

0 Karma

wneighbo
New Member

try adjusting your second rex: rex field=_raw "(?<name>(?<=\[)[^\[\]]*)(?=][^\[\]]+$)"

0 Karma

benuantony
New Member

what is wrong in this?

0 Karma

to4kawa
Ultra Champion
|rex field=_raw "\[(?<name>.*?\,.*?)\]"

simply.

0 Karma

benuantony
New Member

ok.. how to display the variable "name" as column in statistics? I would like to test your rex field=_raw "[(?.?\,.?)]"

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...