![]() Query: index=_internal sourcetype=splunkd_ui_access | rex field=_raw ".*\s \[(?\d \/\w \/\d )\:\d .*" | table DATE | dedup DATE Suppose we want to extract 08/Sep/2018 as DATE. Suppose we have a data which is coming from any of the indexes. You have to specify any field with it otherwise the regular expression will be applied to the _raw field.įind below the skeleton of the usage of the Splunk “ rex” Command :. ![]() This command is also used for replacing or substitute characters or digits in the fields by the sed expression.This command is used to extract the fields using regular expressions.Rex command in splunk is used for field extraction in the search head.Usage of Splunk Rex command is as follows : (I edited your question on the assumption that you had pasted the literal string without editing.This topic is going to explain to you the Rex command in Splunk with lots of interesting Splunk Rex examples However, I'm also not sure that the search you provided in your question was correct, as I don't know if you typed extra backslashes in your search string to make it display right, or if you pasted in unchanged. I wonder what version of Splunk you're on and if there was a bug that was fixed. ![]() The resulting regex that is actually applied in the above examples then are ^mydomain\x5c and ^mydomain\\ Note that in the Splunk search string, backslashes that you want to have as part of a regex must themselves be escaped with a backslash. Returning g as myname, so I'm not sure why you have the problem. So this works: | stats count | eval f="mydomain\myname" | eval g=replace(f,"^mydomain\\x5c","")īut in addition, this works perfectly for me: | stats count | eval f="mydomain\myname" | eval g=replace(f,"^mydomain\\\\","") See: : \x, \000 character whose ordinal is the given octal number Splunk regexes are PCRE, which does allow you to specify a character by codepoint. It would be nice if Splunk developers included "chr(ascii-code)" command, when any character in the search string could be replaced with ASCII code at places, where the escaping nonsense happens. It gets broken thinking that I am escaping the parenthesis. Same thing happens if I try to extract "myuser" from the username with rex: rex field=_raw "^client\\\\(?.*)" Statement "\\" should escape \ sign and not double quotes. How can I get rid of the damn backslash? I am surprised that splunk matches from the right side instead of from the left. When I take "\" out of the statement: source="/var/log/iis" | eval username=lower(username) | eval username=replace(username,"mydomain","") | stats count by username | sort -count Gets broken with error message, because splunk thinks that I am escaping double quotes, instead of \ sign. Search: source="/var/log/iis" | eval username=lower(username) | eval username=replace(username,"mydomain\\\\","") | stats count by username | sort -count I need to remove "mydomain\" string from the username. It screws up the results for "stats", because myuser and mydomain\myuser are taken as two different users. Sometimes our users login to our web application using username: "myuser" or "mydomain\myuser". ![]()
0 Comments
Leave a Reply. |