The syntax is:
rex field=splunk data field "(?<variable to assign to>regex)”
For example: If your splunk _raw field contained the line “The sky is blue” and you wanted to get the word blue and assign it to a variable of COLOUR, you would do the following:
sourcetype="your_source_type" source="/etc/foo/bar" | rex field=_raw "The sky is\s+(?<COLOUR>\w+)\.*"
i.e “The sky is” followed by one of more spaces, followed by one or more word characters (which are assigned to the variable COLOUR) followed by 0 or more of any characters. i.e, standard regex but instead of putting the assignment braces around only the (\w+) you also insert ?<variable to assign to> to the left of it, so you end up with (?<COLOUR>\w+)
Now you have a variable called COLOUR you can pipe it to a table
sourcetype="your_source_type" source="/etc/foo/bar" | rex field=_raw "The sky is\s+(?<COLOUR>\w+)\.*" | table COLOUR
Here’s a real world example, to pull out the http method, response code and uri from apache’s access logs and render them in a table
sourcetype="psd2:ihs" source="/usr/websphere*/ihs*" | rex field=_raw "(?<METHOD>POST|GET|PUT)\s+(?<URI>.*\s+)\.*HTTP/1.1\"##(?<CODE>\d+)" | table host, CODE, METHOD, URI
No comments:
Post a Comment