Solved: Re: Regex match till end of event?

Cuyose · ‎08-09-2016

Not sure why I cant find this, but the following is not working.

|rex field=_raw "(?i)response=(?<responseXML>.+)$"

where response= occurs somewhere in the event and always continues to the very end of a multi lined event.

somesoni2 · ‎08-10-2016

Give this a try

 | rex field=_raw "response=(?<responseXML>[\S\s\r\n]*)$"

Option 2

 your base search | eval responseXML=replace(_raw,"^([\S\s\r\n]*)response=","")

View solution in original post

Richfez · ‎08-10-2016

Do you have a sample of one of the difficult, long, multi-line event that we can use for confirmation of potential solutions before posting them?

inventsekar · ‎08-10-2016

we are trying to create the rex query with just our own understanding of your issue.
could you please update us an event, and your current query, please.

somesoni2 · ‎08-10-2016

Give this a try

 | rex field=_raw "response=(?<responseXML>[\S\s\r\n]*)$"

Option 2

 your base search | eval responseXML=replace(_raw,"^([\S\s\r\n]*)response=","")

Cuyose · ‎08-10-2016

Cool, this worked(Option 1), but its very odd that I had to resort to this, as the first example I tried had worked in many other situations!

dbcase · ‎08-10-2016

Have you tried erex?

http://docs.splunk.com/Documentation/Splunk/6.4.2/SearchReference/Erex

Using erex, Splunk will attempt to write the rex pattern for you given your example string(s).

Cuyose · ‎08-10-2016

Unfortunately, while useful for smaller more specific examples, this cannot take multiple 1000 character examples across multiple lines as input.

sundareshr · ‎08-10-2016

Try this

| rex field=_raw "response=(?<msg>[^\t\n]+)"

Cuyose · ‎08-10-2016

this does not work because it only captures to the end of the current line the response= is found in.

sundareshr · ‎08-10-2016

Try this

| rex field=_raw "response=(?<msg>[^\S\t\r\n]+)"

inventsekar · ‎08-10-2016

"(?i)response=(?.+)$" -----

- you should use < and > around the variable - (?<i>) 
- (?<i>) needs to come where it will appear on the event (ie, after the "response=")

and i created few sample events ending with "response=digits"

event 1 - Extract "from" and "to" fields using regular expressions. response=101
event 2 - If a raw event contains "From: Susan To: Bob", then from=Susan and to=Bob, response=404
event 3 - source="tutorialdata.zip:./www1/access.log" response=500

and this query picks up the response codes fine.

sourcetype=responseREX | rex field=_raw "response=(?<i>.*)" | table _raw, i

regarding the end of line $, these below two works same -
response=(?.)
and
response=(?.)$

Cuyose · ‎08-10-2016

This only captured the first character after response=

Cuyose · ‎08-10-2016

Sorry, I had that, but I must have missed the code button and it stripped out some things.

This is not working

|rex field=_raw "(?m)Data=(?<xmlData>.+)$"

Regex match till end of event?

Enterprise Security Content Update (ESCU) | New Releases

Detecting Remote Code Executions With the Splunk Threat Research Team

Observability | Use Synthetic Monitoring for Website Metadata Verification