Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Regular expression with lookup

stang1234
New Member
‎05-29-2018 12:25 PM

Blockquote

I have to build a table that lists all the service names that are in particular format for e.g "ABC-*.-<>", Is this possible??

I actually tried by building a regular expression like this index=my_index sourcetype=my_source | regex name = "^ABC-.*-(Name1|Name2|Name3|Name4|....Name600) but I am getting "Regex: regular expression too large error" Any other way of solving this??

Blockquote

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎05-30-2018 09:00 AM

Try something like this.

index=my_index sourcetype=my_source name = "ABC*" | rex field=name "^ABC-.*-(?<subname>.*)" | lookup names.csv name-field-in-lookup-file as subname | ...
---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎05-30-2018 09:00 AM

Try something like this.

index=my_index sourcetype=my_source name = "ABC*" | rex field=name "^ABC-.*-(?<subname>.*)" | lookup names.csv name-field-in-lookup-file as subname | ...
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

stang1234
New Member
‎05-30-2018 11:38 AM

Fantastic, that worked!! This is exactly what I was looking for.

0 Karma
Reply
Solved! Jump to solution

stang1234
New Member
‎05-30-2018 04:50 AM

All 600 start with a prefix like “ENV” and rest are random. I did create a lookup with these 600.

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎05-29-2018 02:31 PM

Is there a pattern to the service name endings or are they 600 random strings?
Regex is better suited to validating data format than content. IOW, use rex to determine if a string is a potential service name and extract the "Name*" part. Then use a lookup to validate the Name against a list of known names.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

xpac
SplunkTrust
SplunkTrust
‎05-29-2018 12:42 PM

Can you please show some example data?

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...