Usage of Splunk commands : REGEX
Usage of Splunk commands : REGEX is as follows
- Regex command removes those results which don’t match with the specified regular expression.
- If we don’t specify any field with the regex command then by default the regular expression applied on the _raw field.
Find below the skeleton of the usage of the command “regex” in SPLUNK :
regex [ <field name> = < regex – expression> ] [ <field name> != < regex – expression> ]
Example 1:
index=”ip” sourcetype=”iplog”
| regex IP = “(?<!\d)10\.\d{1,3}\.\d{1,3}\.\d{1,3}(?!\d)”
| table IP
| dedup IP
Result:
Explanation:
In the above query “IP” is the existing field name in “ip” index and sourcetype name is “iplog” . By the “regex” command we have taken only the class A private ip addresses (10.0.0.0 to 10.255.255.255 ) from the “IP” field . Then by the “table” command we have taken the “IP” field and by the “dedup” command we have removed the duplicate values.
*********************************************************************************
Example 2:
index=”ip” sourcetype=”iplog”
| regex IP != “(?<!\d)10\.\d{1,3}\.\d{1,3}\.\d{1,3}(?!\d)”
| table IP
| dedup IP
Result:
Explanation:
In the above query “IP” is the existing field name in “ip” index and sourcetype name is “iplog” . By the “regex” command we have taken the ip addresses which are not class A private ip addresses (10.0.0.0 to 10.255.255.255 ) from the “IP” field. Here we have used “!” sign for not matching the specified regex-expression . Then by the “table” command we have taken the “IP” field and by the “dedup” command we have removed the duplicate values.
**********************************************************************************
Example 3:
index=”ip” sourcetype=”iplog”
| regex “(?<!\d)10\.\d{1,3}\.\d{1,3}\.\d{1,3}(?!\d)”
Result:
Explanation:
In the above query “ip” is the index and sourcetype name is “iplog” . By the “regex” command we have taken only the class A private ip addresses (10.0.0.0 to 10.255.255.255 ) . Here we don’t specify any field with the “regex” command so by default the regex-expression will be applied to the “_raw” field.
Now you can effectively utilize “regex” command in your daily use to meet your requirement !!
Hope you are now comfortable in : Usage of Splunk commands : REGEX
HAPPY SPLUNKING !!