I'm trying to do a Sumo Logic search for logs matching the following regular expression:
"Authorization \d+ for story is not voided. Story not removed"
That is, the \d+ consists of one or more digits, but it doesn't matter what they are exactly.
Based on the search examples cheat sheet (https://help.sumologic.com/05Search/Search-Cheat-Sheets/General-Search-Examples-Cheat-Sheet), I've tried to use a * | parse regex pattern for this, but that doesn't work:
I get a 'No capture group found in regex' error. I'm actually not really interested in capturing the digits, though, just in matching the regular expression in my search. How can I achieve this?
I managed to get it to work in two ways. Firstly, using the regular parse instead of parse regex:
* | parse "Authorization * for story is not voided. Story not removed" as id |
count by _sourceHost | sort by _count
or, when using a regular expression, it needs to be a named group:
* | parse regex "Authorization (?<id>\d+) for story is not voided. Story not removed" |
count by _sourceHost | sort by _count
Related
I want to use Sumo Logic to count how often different APIs are called. I want to have a table with API call name and value. My current query is like this:
_sourceCategory="my_category"
| parse regex "GET.+443 (?<getUserByUserId>/user/v1/)\d+" nodrop
| parse regex "GET.+443 (?<getUserByUserNumber>/user/v1/userNumber)\d+"
| count by getUserByUserId, getUserByUserNumber
This gets correct values but they go to different columns. When I have more variables, table becomes very wide and hard to read.
I figured it out, I need to use same group name for all rexexes. Like this:
_sourceCategory="my_category"
| parse regex "GET.+443 (?<endpoint>/user/v1/)\d+" nodrop
| parse regex "GET.+443 (?<endpoint>/user/v1/userNumber)\d+"
| count by endpoint
I am searching for a list of regexes in a splunk alert like this:
... | regex "regex1|regex2|...|regexn"
Can I modify this query to get a table of the regexes found along with their count. The table shouldn't show rows with 0 counts.
regex2 17
regexn 3
The regex command merely filters events. All we know is each result passed the regular expression. There is no record or indication of why or how any event passed.
To do that, you'd have to extract a unique field or value from each regex and then test the resulting events to see which field or value was present. The regex command, however, does not extract anything. You'd need the rex command or the match function to do that.
Looks like | regex line is not needed. This is working for me. Notice the extra brackets.
| rex max_match=0 "(?P<countfields>((regex1)|(regex2)|..|(regexn)))"
| stats count by countfields
I looked through some similar question but couldn't find an example of this sort of logic- what im looking for is a way to parse through a large return of usernames in powershell. User names that are not service accounts or kiosks have a specific naming convention of 6 grouped numeric characters: for example- username123456. I was thinking there has to be a way of using the where-object command but can't find anything on the syntax on technet or other PS resources. The one liner to get a return from the local domain is:
Search-ADAccount -PasswordNeverExpires | Select-Object Name, Enabled
This returns a list of domain accounts that have the password set to never expire. I want to only see the ones with the above naming convention ^^ I know you can achieve this with regex but my regex is quite rusty---if it can be done with where-object that would be optimal. I also looked into using pattern, but it seems to be for more complex returns than this... Thanks!
Are they under a specific OU? You could then use the -Searchbase parameter to limit the scope of the search to that OU.
Otherwise, Regex is probably going to be a good option to accomplish this.
Search-ADAccount -PasswordNeverExpires | Select-Object Name, Enabled | Where {
$_.name -match '\D\d{6}$'
}
I have a sumo logic query where i'm taking a numeric field and summing it, but that fields value is milliseconds so I want to divide the field by 1000 to get the number as seconds.
parse "DownloadDuration=*," as DownloadTime | sum(downloadtime / 1000) as TotalDownloadTime
but sumologic gives me an error: Parse error: ')' expected but '/' found. when i try to do this (even though their help docs seem to suggest this is totally legit.
I had to add another parse statement to alter the fields value.
parse "DownloadDuration=*," as DownloadTime |
(downloadtime / 1000) as DownloadTime |
sum(downloadtime) as TotalDownloadTime
Works perfectly!
I have node for user with FirstName, LastName properties. Now I want to search some value in both properties from both site. Let I have to explain.
FirstName LastName
--------- --------
Manish Pal
Pal Dharmesh
Rajpal Yadav
sharma shreepal
Now I want to search which node's firstname or lastname contain 'pal'.
I have written query like this.
START users=node(*)
WHERE (users.FirstName =~ '(?i)pal.*' OR users.LastName =~ '(?i)pal.*')
RETURN users;
It gives me just 2 nodes, but I want all node with is containing 'pal'
If I try like this
START users=node(*)
WHERE (users.FirstName =~ '(?i)*.pal.*' OR users.LastName =~ '(?i)*.pal.*')
RETURN users;
It is giving me following error.
"PatternSyntaxException"
Dangling meta character '' near index 4 (?i).ant. ^*
I have set example here for your ready reference.
Thanks.
The second query contains invalid regular expression syntax. I think you mean:
START users=node(*)
WHERE (users.FirstName =~ '(?i).*pal.*' OR users.LastName =~ '(?i).*pal.*')
RETURN users
Note the difference to the query in your post:
'(?i)*.pal.*' in your post, and
'(?i).*pal.*' in the above query
The asterisk * means the expression before me [the asterisk] may appear an arbitrary number of times, including zero. But (?i) is no regular expression but just a modifier to ignore the case of the actual expression. I think you meant .*. The regular expression . matches any character, the asterisk allows any character to appear an arbitrary number of times.
Thus, '(?i).*pal.*' says: [ignore case] <arbitrary number of any characters><the exact character sequence: "pal"><arbitrary number of any characters>
The above query returned four results for me:
users.FirstName | users.LastName
---------------------------------
sharma | shreepal
Rajpal | Yadav
Pal | Dharmesh
Manish | Pal
Which is what you wanted, if I understood your correctly.