Digital Resilience Pays Off
Download this e-book to learn about the role of Digital Resilience across enterprises.
All My Regex’s Live in Texas
By
Splunk
Put down that O’Reilly book about RegEx, quit googling, and saddle up! Ninja’s going Texas style today with a new video on Regular Expressions, or REGEX. Since Splunk is the ultimate swiss army knife for IT, or rather the “belt” in “blackbelt”, I wanted to share with you how I learned about Regex and some powerful ways to use it in your Splunk server.
I did have an O’Reilly book on Regex, and I have spent a great deal of time on the web looking up how to do regex. Still, I like the easy way, and since i’m a visual guy–to no surprise–I have found some great tools that help me. RegexBuddy by JGSoft and Reggy (free on Google Code). RegexBuddy will teach you Regex better than anything else, and Reggy is your shuriken.
Using those tools to help me develop a proper RegEx, I can take what i’ve learned and apply it in Splunk. By no means is being a ninja required to use Splunk, any IT person worth their salt has some special tools and talents they employ to take software products like Splunk to the next level.
<iframe id="viddler-90112c56" src="//www.viddler.com/embed/90112c56/?f=1&autoplay=0&player=full&disablebackwardseek=false&disableseek=false&disableforwardseek=false&make_responsive=false&loop=false&nologo=false&hd=false" width="437" height="288" frameborder="0" scrolling="no" allowfullscreen></iframe>
By the way, not only did I never think I’d live in Texas, how the heck did I end up parodying a song title by George Strait. If you don’t get it. Listen to the song. 
Shout out to the ninjas at University of Texas, Austin who dig Splunk!. Splunk ’em Horns!
Update: “@shadejinx” on Twitter asked.. “Can you extract multiple fields with the Rex format”?
Answer: Of course you can.. guess how? Think for a bit (this is how i figured this out)… … … aha! just add another ” | rex” at the end of that search. In the video above, this scenario is presented:
Event:
:: ... : ... ::::: ...7
In the video example, i’d like to extract the DHCPACK (and other variations) and create a field called “DHCP_ACTION”, so this search is ran:
Search:
source=”/mnt/log/splunk-interop/2008-lv-messages” dhcpd via | rex “dhcpd:\s(?<dhcp_action>\S+)”
But what if, in the same search I wanted to extract that final IP address, being the device by which we requested the IP address. Lets call it “dhcp_subnet_host” Easy, the Splunk search language works as you’d expect it to. Try this:
Search:
source=”/mnt/log/splunk-interop/2008-lv-messages” dhcpd via | rex “dhcpd:\s(?<dhcp_action>\S+)” | rex “via (?<dhcp_subnet_host>\S+)”
The result is, in the same search, I’m able to extract two fields, especially if i have some variance on where that subnet_host is. By doing it this way, I don’t have to write the “mother of all regex’s” to come up with the perfect match–just string searches together and you’re ropin’ cattle.. or log events.!
Blogged with the Flock Browser
----------------------------------------------------
Thanks!
Michael Wilde
Related Articles
About Splunk
The Splunk platform removes the barriers between data and action, empowering observability, IT and security teams to ensure their organizations are secure, resilient and innovative.
Founded in 2003, Splunk is a global company — with over 7,500 employees, Splunkers have received over 1,020 patents to date and availability in 21 regions around the world — and offers an open, extensible data platform that supports shared data across any environment so that all teams in an organization can get end-to-end visibility, with context, for every interaction and business process. Build a strong data foundation with Splunk.
Subscribe to our blog
Get the latest articles from Splunk straight to your inbox.
Connect with Splunk on X
Follow @Splunk
