Usage of Splunk commands  : REGEX

Usage of Splunk commands : REGEX is as follows

 

  • Regex command removes those results which don’t match with the specified regular expression.
  • If we don’t specify any field with the regex command then by default the regular expression applied on the _raw field.

 

Find below the skeleton of the usage of the command “regex” in SPLUNK :

regex [ <field name> = < regex – expression> ] [ <field name> != < regex – expression> ] 

 

Example 1:

index=”ip” sourcetype=”iplog”
| regex IP = “(?<!\d)10\.\d{1,3}\.\d{1,3}\.\d{1,3}(?!\d)”
| table IP
| dedup IP

 

Result:

regexpvip

Explanation:

In the above query “IP” is the existing field name in  “ip”  index and sourcetype name is “iplog” . By the “regex” command we have taken only the class A private ip addresses (10.0.0.0 to 10.255.255.255 ) from the “IP” field . Then by the “table” command we have taken the “IP” field and by the “dedup” command we have removed the duplicate values.

*********************************************************************************

Example 2:

index=”ip” sourcetype=”iplog”
| regex IP != “(?<!\d)10\.\d{1,3}\.\d{1,3}\.\d{1,3}(?!\d)”
| table IP
| dedup IP
Result:

regexnpvip

Explanation:

In the above query “IP” is the existing field name in  “ip”  index and sourcetype name is “iplog” . By the “regex” command we have taken the ip addresses which are not  class A private ip addresses (10.0.0.0 to 10.255.255.255 ) from the “IP” field. Here we have used “!” sign for not matching the specified regex-expression . Then by the “table” command we have taken the “IP” field and by the “dedup” command we have removed the duplicate values.

**********************************************************************************

Example 3:

index=”ip” sourcetype=”iplog”
| regex “(?<!\d)10\.\d{1,3}\.\d{1,3}\.\d{1,3}(?!\d)”

Result:

regex-raw

regex-raw2

Explanation:

In the above query  “ip” is the  index and sourcetype name is “iplog” . By the “regex” command we have taken only the class A private ip addresses (10.0.0.0 to 10.255.255.255 ) . Here we don’t specify any field with the “regex” command so by default the regex-expression will be applied to the “_raw” field.

 

 

Now you can effectively utilize “regex”  command in  your daily use to meet your requirement !!

Hope you are now comfortable in : Usage of Splunk commands  : REGEX

 

HAPPY SPLUNKING !!

 

 

Advertisements