topic Re: How to use regex to extract just the ID inside of the brackets? in Splunk Search

How to use regex to extract just the ID inside of the brackets?

thefuzz4 — Wed, 22 Aug 2018 21:04:51 GMT

So I have this data

 Aug 22 09:13:46 someservername  <118>1 2018-08-22T09:13:46.743+00:00 ip.address LOGSTASH - - - {"timestamp":1534929226738,"process_id":62,"source":"OpsCodi:0","event_type":"SECURITY_MGMT_REGISTRY","data2":{"srctype":"ops_console"},"user":"U654321","target":"some.server.of.ours","message":"Add User [U123456] ","log_level":"INFO"}

I don't have a way to modify the field extractions or anything so I'm at the mercy of splunk. No admin rights so I've been working on some serious splunk fu with my search.

index=index sourcetype=sourcetype  source="source//*.log" | multikv | mvexpand _raw | search URGP_0="User [*]*" | regex URGP_0=(\[(\w+)\]) |  table URGP_0

So all I want to see is just U123456 and I intend to pipe this into a table in my dashboard once I have the regex working properly.

I am no master with regex but I've plugged it into various checkers online and they all show that it should be working but splunk just continues to show me the full field value which looks like this

User [U123456] ","log_level":"INFO"}

Yes its a terrible field but well prior to me putting in the mvexpand there were no fields detected so now I at least have something to work with.

Also if possible how to extract this user info from it as well

 "user":"U654321"

Thank you for your help with this.

Re: How to use regex to extract just the ID inside of the brackets?

horsefez — Wed, 22 Aug 2018 21:12:02 GMT

Hi @thefuzz4,

you have to escape [ ] characters properly.
Also you are not using the right command.

Something like this should work.
| rex field=_raw "Add\s*User\s*\[(?<user>[^\]]+)\]"

or if you already have a field that contains the value

| rex field=URGP_0 "\[(?<user>[^\]]+)\]"

EDIT:
Changes since your recent edit

| rex field=_raw "\"user\":\"(?<userinfo>[^\"]+)\""

should extract the U654321 value inside of the userinfo field

Second EDIT:

Userinfo:
| rex field=_raw "(?<userinfo>\"user\":\"[^\"]+\")"

should extract the "user":"U654321" into the field userinfo

Re: How to use regex to extract just the ID inside of the brackets?

cpetterborg — Wed, 22 Aug 2018 21:17:14 GMT

Is the field URGP_0 a field that is extracted already? I don't see that you are creating it anywhere in your data, and it isn't a KV pair, so it looks like your search is looking for a field called URGP_0.

It also appears that your data is not complete. You may want to update the question to use the 101010 button to mark the text instead of the " button so that is does it as code instead of a quote.

Re: How to use regex to extract just the ID inside of the brackets?

thefuzz4 — Wed, 22 Aug 2018 21:27:30 GMT

I will update the question to use the 1010 button my apologies.

Yes the URGP_0 is a field that was extracted from it.

Re: How to use regex to extract just the ID inside of the brackets?

thefuzz4 — Wed, 22 Aug 2018 21:32:50 GMT

Thank you that worked like a charm. I also posted a 2nd question in here and of course after I posted it I saw the answer to my 1st part. Don't suppose you have some regex fu for that piece?
By the way yes I did already have the field for the 1st part so I was able to use the bit about the field.

Re: How to use regex to extract just the ID inside of the brackets?

horsefez — Wed, 22 Aug 2018 21:35:52 GMT

Looks at my edits 🙂

Re: How to use regex to extract just the ID inside of the brackets?

thefuzz4 — Wed, 22 Aug 2018 21:37:36 GMT

Sorry meant to be like just the U654321 part

Re: How to use regex to extract just the ID inside of the brackets?

horsefez — Wed, 22 Aug 2018 21:39:09 GMT

@thefuzz4,

no problem. My first edit should give you the right solution. 🙂

Changes since your recent edit

| rex field=_raw "\"user\":\"(?<userinfo>[^\"]+)\""

should extract the U654321 value inside of the userinfo field

Re: How to use regex to extract just the ID inside of the brackets?

thefuzz4 — Wed, 22 Aug 2018 21:40:11 GMT

You rock thank you so much