![]() Note: You may also see (? P regex) used in named capture groups (notice the character P). The above expression captures the text matched by regex into the group name. The PCRE named capture group works the following way: | where portNumber >= 1000 AND portNumber For example, the following SPL retrieves events with port numbers between 10. Once you have port extracted as a field, you can use it just like any other field. Using the rex command, you would use the following SPL: ![]() Let’s say you want to extract the port number as a field. The above event is from Splunk tutorial data. Thu 00:15:06 mailsv1 sshd: Failed password for invalid user desktop from 194.8.74.23 port 2285 ssh2 Let’s see a working example to understand the syntax. It matches a regular expression pattern in each event, and saves the value in a field that you specify. The command takes search results as input (i.e the command is written after a pipe in SPL). Rex is a SPL (Search Processing Language) command that extracts fields from the raw data based on the pattern you specify using regular expressions. Eventually, you will start to leverage the power of rex command and regular expressions, which is what we are going to look in detail now. However as you gain more experience with field extractions, you will start to realize that the Field extractor does not always come up with the most efficient regular expressions.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |