Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Is there a regex syntax for undefined number of characters?

jenniferleenyc
Engager
‎07-25-2016 12:51 PM

I need to get commonName for ISSUER NAME but there are multiple issues: there are more than one commonName(one for ISSUER NAME and another for SUBJECT NAME), commonName position below ISSUER NAME is not fixed, and commonName will sometimes be a string of words with spaces between them. Is there a syntax for an indefinite number of characters and a syntax for scanning a string of words and spaces?

Data:
(0)ISSUER NAME

countryName US
organizationName Lucky Stars
commonName Dev Lucky Stars Internal PKI Firmwide Generic Issuing CA 6
(0)SUBJECT NAME

countryName US
stateOrProvinceName New York
localityName New York
organizationName Lucky Stars
commonName iklabnac04.ms.com
emailAddress mike.ng@luckystars.com
(0)Valid From May 26 03:33:39 2016 GMT
(0)Valid Till May 26 03:33:39 2018 GMT

Tags (1)
0 Karma
Reply

sundareshr
Legend
‎07-25-2016 01:05 PM

Try this. There can be more than 2 commonName, adjust the max_match count and eval statements accordingly.

.... | rex max_match=2 "(?<commonName>commonName[^\t\n]+)"  | eval commonName_Issuer=mvindex(commonName, 0) | eval commonName_Subject=mvindex(commonName, 1) | ...
0 Karma
Reply

jenniferleenyc
Engager
‎07-25-2016 01:53 PM

I'm a little unfamiliar with regex syntax. What do the "..." and pipes indicate? What do I replace the "..." with?

0 Karma
Reply

sundareshr
Legend
‎07-25-2016 01:57 PM

the ... just means etc. At the begining it is your base search, like this

index=nameofyourindex sourcetype=nameofsourcetype | rex max_match=2 "(?<commonName>commonName[^\t\n]+)"  | eval commonName_Issuer=mvindex(commonName, 0) | eval commonName_Subject=mvindex(commonName, 1) | table _time commonName_Issuer commonName_Subject
0 Karma
Reply

jenniferleenyc
Engager
‎07-25-2016 02:04 PM

This looks like a search string for Search&Reporting. Can I also put this string in the extraction/transform field?

0 Karma
Reply

sundareshr
Legend
‎07-25-2016 02:26 PM

If you want the regex for the extraction/transform field, you can use the following in your props & transforms

*props*

[unique_stanza_name]
REPORT-common = commName_extract

*transforms*

[commName_extract]
REGEX=(?<commonName>commonName[^\t\n]+)
MV_ADD = true
0 Karma
Reply

somesoni2
Revered Legend
‎07-25-2016 01:03 PM

Give this a try

your base search | rex "commonName (?<commonName>(\S+\s*)+)"
0 Karma
Reply

jenniferleenyc
Engager
‎07-25-2016 01:19 PM

would this be an inline command?

0 Karma
Reply

somesoni2
Revered Legend
‎07-25-2016 01:55 PM

Yes, this would be added to your current search. Post the search you're using if you've any confusion where it should be added.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-25-2016 01:02 PM

Is the commonName field always prefixed by "commonName"?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk APM: New Product Features + Community Office Hours Recap!

Howdy Splunk Community! Over the past few months, we’ve had a lot going on in the world of Splunk Application ...

Index This | Forward, I’m heavy; backward, I’m not. What am I?

April 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

A Guide To Cloud Migration Success

As enterprises’ rapid expansion to the cloud continues, IT leaders are continuously looking for ways to focus ...