- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Informix Audit Regular Expression
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have the following content in the log file
====
ONLN|2010-07-06 13:53:52.000|test.tester.com|1068|db_server_name|informixuser|0:RDRW:dbname:477:139460610:483356
ONLN|2010-07-06 14:39:58.000|testpc.tester.com|8368|db_server_name|mware|0:OPDB:dbname:0:-
ONLN|2010-07-06 13:54:00.000|testpc2.test.com|9122|db_server_name|informix|0:ACTB:sysmaster:informix:sysadtinfo:166
.
.
====
When I use the following Regular Expression in the search string it works and gives the exact result I am looking for:
====
rex ".*?(\|).*?(\|).*?(\|).*?(\|).*?(\|)(?P<FIELDNAME>\w+)(\|)" | fields FIELDNAME
====
But When I try to use Extract Fields and there If I try to give this as my Regular Expression, it is giving me error:
====
Invalid regex: no named extraction at position 3 (i.e., "(\|).*?(\|..."). Expected "(?P<variable>;pattern)"
====
Can someone please help me in identifying the error?
My Aim is to make the 6th Field (| delimited) as a new field userid
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
First of all.. You need your field to be named in a capturing group. When you're using "rex", Splunk needs to know what you'd like your field name called. I'm not sure why you're capturing all those "pipe" characters in parens... I'd have written the regex like this. Its cleaner and more exact.
(syntax is "anything thats not a pipe--many times", followed by a pipe.. (repeated until you get to your sixth field).
|rex "[^\|]+\|[^\|]+\|[^\|]+\|[^\|]+\|[^\|]+\|(?<FIELDNAME>[^\|]+)"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
First of all.. You need your field to be named in a capturing group. When you're using "rex", Splunk needs to know what you'd like your field name called. I'm not sure why you're capturing all those "pipe" characters in parens... I'd have written the regex like this. Its cleaner and more exact.
(syntax is "anything thats not a pipe--many times", followed by a pipe.. (repeated until you get to your sixth field).
|rex "[^\|]+\|[^\|]+\|[^\|]+\|[^\|]+\|[^\|]+\|(?<FIELDNAME>[^\|]+)"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I used the above expression directly in the props.conf file and able to use it. I did not use the IFX.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Actually I am new to using Regular Expressions.
Your RE solved my problem.
Thanks a lot.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Modify your regex as follows in the IFX (Interactive Field eXtraction) and it should work:
.?(\|).?(\|).?(\|).?(\|).*?(\|)(?P<FIELDNAME>\w+)(\|)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I tried above in the IFX, and it is giving me error:
Invalid regex: no named extraction at position 2 (i.e., "(|).?(|)..."). Expected "(?P<variable>pattern)"
Anyway thanks for the response. Now my issue is resolved as per the previous answer.
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
