I have an event code 33205 which comes from Windows application logs, for which field extraction is not happening eventhough Windows Add-on in installed.
To extract the statement field in the event, I am using the below regular expression
| rex field=_raw "statement:(?[\d\D]*[\n\s])additional"
which extracts the data till additional_information field. But there are extra spaces which are getting included while extracting like this
quote
EXEC %%Object(MultiName = @qualified_name).LockMatchID(ID = @tabid, Exclusive = 1, BindInternal = 0)
unquote
The extra spaces is not getting removed. Could you please help on this to write regex?
Sample event.
database_name:test
schema_name:dbo
object_name:Table_2
statement:EXEC %%Object(MultiName = @qualified_name).LockMatchID(ID = @tabid, Exclusive = 1, BindInternal = 0)
additional_information:
user_defined_information:
application_name:EUPTTOPDBS004\SQLNAV-test-test2-4
There is a fairly unknown gem which is your best friend in these scenarios, "erex".
Easiest to quote examples directly from the documentation, but it works like a champ.
... | erex monthday examples="7/01, 07/02" counterexamples="99/2"
Use "examples" to include samples of what you are searching for, and "counterexamples" to exclude.
Append one or both to your existing search, then view the Job Inspector. It'll give you the correct regex syntax to find what you are looking for. It is extremely useful!
https://docs.splunk.com/Documentation/Splunk/8.0.2/SearchReference/Erex
Like this:
... | rex "statement\:(?<statement>.*)[\r\n\s]+additional"
| rex "(?m)statement:(?<statement>.*$)"
try (?m)
option. OR
| rex "statement:(?<statement>.*+)"
(?m)
https://www.php.net/manual/en/reference.pcre.pattern.modifiers.php
Settings:
Fields » Field extractions » Add new
search
(default)statement_extraction
sourcetype
your sourcetype
Inline
statement:(?<statement>.*+)
When I use this, I am getting all the data after "statement" like additional_information, user_defined_information, all other things. Please let me know what else can be done to get only the required information
your log is something wrong.
check props.conf and LINE_BREAKER
@to4kawa this worked when in a normal search query, I am not sure why the same regex is not working when it is used in inline field extractions. Could you please help me with this?
I want to know, what does that (?m) means at the beginning of the regex string. If possible, kindly let me know what document you refer to while creating regular expression.
Hi
Check this
| makeresults
| eval log="database_name:test
schema_name:dbo
object_name:Table_2
statement:EXEC %%Object(MultiName = @qualified_name).LockMatchID(ID = @tabid, Exclusive = 1, BindInternal = 0)
additional_information:
user_defined_information:
application_name:EUPTTOPDBS004\SQLNAV-test-test2-4" |rex field=log "statement:(?P<statement>[^\n]+)"
@vnravikumar , This is working when used in a normal query, but I am not sure why the same regex is not working when it is used in inline field extractions. Could you please help me with this?