Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Multiple Rex Expressions

Tags:

regex

splunk

rex

I'm using the rex expressions below to search for the following fields in my raw data:

Address Line 1 Address Line 2 Address Line 3 Address Line 4, and Postcode

| rex "Address Line 1=(?<address1>[^,]*)"  
| rex "Address Line 2=(?<address2>[^,]*)"  
| rex "Address Line 3=(?<address3>[^,]*)"  
| rex "Address Line 4=(?<address4>[^,]*)"  
| rex "Postcode=(?<postcode>[^,]*)"

As you can see by the expression, each of these fields is then assigned a variable so for Address Line 1, the variable is address1, Address Line 2 is 'address2' and so on.

As you will also no doubt see, the above expression contains multiple rex expressions, could someone perhaps tell me please, is there a way to combine these into one rex expression.

like image 393
IRHM Avatar asked Oct 19 '25 10:10

IRHM

2 Answers

The first example on page https://docs.splunk.com/Documentation/Splunk/6.6.1/SearchReference/Rex shows how to extract multiple fields with a single rex command. If your _raw is multiline, use \n or \r as appropriate. http://docs.splunk.com/Documentation/Splunk/6.6.1/Knowledge/AboutSplunkregularexpressions

like image 180
gliptak Avatar answered Oct 22 '25 05:10

gliptak

you simply put several group match in your regex. Here is an example:

| rex field=_raw "\"SubjectId\":\"(?P<User>[^\"]*)\".*\"GrantType\":\"(?P<GrantType>\w*)\".*\"Category\":\"(?P<Category>\w+)\".*\"Name\":\"(?P<desc>[^\"]*)\".*\"TimeStamp\":\"(?P<TimeStamp>[^\"]*)\".*\"RemoteIpAddress\":\"(?P<IP>(?:[0-9]{1,3}\.){3}[0-9]{1,3})\"" |

of course, this requires to know the order of the fields in advance, which is not required when chaining several 'rex' expressions in your search.

I do find it easier for complex example to first put a few lines in regex101.app for instance to validate the expression (I'm using the local installed app, but the website works)

EDIT FOLLOWING COMMENT

If all your addresses are separated by comma as your regular expression seems to show:

| rex field=_raw "(?P<addr1>[^,]),(?P<addr2>[^,]),(?P<addr3>[^,]),(?P<addr4>[^,]),(?P<postalcode>.*)"

If the separator is something else, just replace the character in each group.

like image 36
Jean-Pascal J. Avatar answered Oct 22 '25 03:10

Jean-Pascal J.

Sign in to Comment

Related questions

Regexextract decimal number from text with decimals
Python re.sub() with dots
regular expression for line length and multiline input
RegExp to match comma separated hostnames
Strip URL in Python
sed: display lines selected for deleting
Regular expression to reject all non-English characters except some characters with accents
Regex to allow spaces in string - bash
Why is the read-only RegexGenerator.g.cs file (autogenerated by GeneratedRegex attribute) throwing CS0165
Look Behind Regex
PHP Replace EM Dash REGEX
Extract substring using regular expression in R
weird white space characters - utf8 PHP

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!