4

I'm using the rex expressions below to search for the following fields in my raw data:

Address Line 1 Address Line 2 Address Line 3 Address Line 4, and Postcode

| rex "Address Line 1=(?<address1>[^,]*)"  
| rex "Address Line 2=(?<address2>[^,]*)"  
| rex "Address Line 3=(?<address3>[^,]*)"  
| rex "Address Line 4=(?<address4>[^,]*)"  
| rex "Postcode=(?<postcode>[^,]*)"

As you can see by the expression, each of these fields is then assigned a variable so for Address Line 1, the variable is address1, Address Line 2 is 'address2' and so on.

As you will also no doubt see, the above expression contains multiple rex expressions, could someone perhaps tell me please, is there a way to combine these into one rex expression.

warren
  • 32,620
  • 21
  • 85
  • 124
IRHM
  • 1,326
  • 11
  • 77
  • 130

2 Answers2

1

The first example on page https://docs.splunk.com/Documentation/Splunk/6.6.1/SearchReference/Rex shows how to extract multiple fields with a single rex command. If your _raw is multiline, use \n or \r as appropriate. http://docs.splunk.com/Documentation/Splunk/6.6.1/Knowledge/AboutSplunkregularexpressions

gliptak
  • 3,592
  • 2
  • 29
  • 61
1

you simply put several group match in your regex. Here is an example:

| rex field=_raw "\"SubjectId\":\"(?P<User>[^\"]*)\".*\"GrantType\":\"(?P<GrantType>\w*)\".*\"Category\":\"(?P<Category>\w+)\".*\"Name\":\"(?P<desc>[^\"]*)\".*\"TimeStamp\":\"(?P<TimeStamp>[^\"]*)\".*\"RemoteIpAddress\":\"(?P<IP>(?:[0-9]{1,3}\.){3}[0-9]{1,3})\"" |

of course, this requires to know the order of the fields in advance, which is not required when chaining several 'rex' expressions in your search.

I do find it easier for complex example to first put a few lines in regex101.app for instance to validate the expression (I'm using the local installed app, but the website works)

EDIT FOLLOWING COMMENT

If all your addresses are separated by comma as your regular expression seems to show:

| rex field=_raw "(?P<addr1>[^,]),(?P<addr2>[^,]),(?P<addr3>[^,]),(?P<addr4>[^,]),(?P<postalcode>.*)"

If the separator is something else, just replace the character in each group.

Jean-Pascal J.
  • 146
  • 1
  • 8
  • This does not provide an answer to the question. Once you have sufficient [reputation](https://stackoverflow.com/help/whats-reputation) you will be able to [comment on any post](https://stackoverflow.com/help/privileges/comment); instead, [provide answers that don't require clarification from the asker](https://meta.stackexchange.com/questions/214173/why-do-i-need-50-reputation-to-comment-what-can-i-do-instead). - [From Review](/review/late-answers/30794937) – fatih Jan 17 '22 at 11:40