Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

'AND' operator in Regular Expressions

Michael_Schyma1
Contributor
‎11-26-2012 06:14 AM

I am trying to only select the data that has Directory Administrators OR Master Web Resource Admins AND I want that data to have MOD in it. So the main part that i am missing here is what operator says AND in regular expressions and send all other data to nullQueue. The pipe between Master Web Resource Admins and the selection of the three numbers is wrong. I need to figure out how to get something that says AND in there. 

#CID_LDAP
[setnullldap]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

[setparsingldap]
REGEX = (?:Directory Administrators)|(?:Master Web Resource Admins)|([0-9][0-9][0-9]\s+(:?MOD)\W+)
DEST_KEY = queue
FORMAT = indexQueue

Below is an example of the raw data that is being passed into Splunk:

[19/Nov/2012:11:37:10 -0500] conn=8813 op=416 MOD dn="obname=201211104775926,obname=20121011230424,obapp=PSC,o=Oblix,o=scope"

[19/Nov/2012:11:37:10 -0500] conn=8813 op=416 RESULT err=0 tag=103 nentries=0 etime=0 csn=50aa60ef00000

[19/Nov/2012:11:37:10 -0500] conn=883 op=417 SRCH base="obapp=PSC,o=Oblix,o=scope" scope=1 filter="(objectClass=oblixGSN)" attrs="obSeqNo"

[19/Nov/2012:11:37:10 -0500] conn=8813 op=417 RESULT err=0 tag=101 nentries=1 etime=0 Directory Administrators
Tags (1)
0 Karma
Reply

yannK
Splunk Employee
Splunk Employee
‎08-29-2014 12:07 PM

You can an OR condition in REGEX
REGEX = {something|differentthing)

Or you can use multiple successive transforms to send to the parsing queue.


[myldapsourcetype]
TRANSFORMS-filterevents = setnullldap, setparsingldap_admin, setparsingldap_mod

0 Karma
Reply

wpreston
Motivator
‎11-26-2012 07:44 AM

Would something like this work for you?

op=(?<Feild1>\d+)\sMOD\s.*(?:o=\sDirectory\sAdministrators|o=\sMaster\sWeb\sResource\sAdmins)

I'm using a capturing group for the digits and a non capturing group for the Admins search, but it's simple to change that to a capturing group if need to use it for field extraction. Also, I'm not sure if the space in front of Directory Administrators (and by extension: Master Web Resource Admins) is intentional or not, so please remove it if it shouldn't be there.

Reply

Michael_Schyma1
Contributor
‎11-26-2012 06:48 AM

[19/Nov/2012:11:37:10 -0500] conn=8813713 op=416 MOD dn="obname=20121119T09404775926,obname=20121010T07001230424,obapp=PSC,o=Oblix,o= Directory Administrators"

MOD will come first. If any additional information is needed, just let me know. Thank you so much

0 Karma
Reply

sowings
Splunk Employee
Splunk Employee
‎11-26-2012 06:42 AM

Can you provide a sample line that should be indexed? That is, it matches your stated criteria? The key bit will be the relative position of your selection strings vs. the MOD string (whether it comes before or after...).

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...