topic Re: Regex help extracting session ID in Splunk Search

Regex help extracting session ID

reverse — Wed, 30 Sep 2020 01:06:47 GMT

10.249.68.17 0000*aJyyyQvMs5xIb7KGdRxRTl98AhhUNq0lMLQ8RQ8szjFp4gtHI:1cq4afaa*7 12.119.53.11 - - [26/Jun/2019:13:06:37 -0400] "GET /xx/yy?REQUESTED_PAGE_ID=yy&REQUESTED_ACTION=xd&FWPOPUP=Y&displayMode=1&FLUSH_VARIABLE=YES&EDIT_FLAG=YES&CASE_NUM=6003378547&CASE_SEQ_NUM=6632579&ROW_COUNT=0&token=Random HTTP/1.1" 200 10855 dyrwasp026tw.ca.us:21152

10.247.68.23 0000*a0000eSP3bbdcJvjHUckwzlySRnx3t2V080oU-eoDEJlAqbIz0u2_Y:1cq4af5jb* 17.119.53.11 - - [26/Jun/2019:13:06:37 -0400] "GET /xx/yy?REQUESTED_PAGE_ID=yy&REQUESTED_ACTION=xd&FWPOPUP=Y&displayMode=1&FLUSH_VARIABLE=YES&EDIT_FLAG=YES&CASE_NUM=6003378547&CASE_SEQ_NUM=6632579&ROW_COUNT=0&token=Random HTTP/1.1" 200 10855 dyrwasp026tw.ca.us:21152

aJyyyQvMs5xIb7KGdRxRTl98AhhUNq0lMLQ8RQ8szjFp4gtHI:1cq4afaa7
a0000eSP3bbdcJvjHUckwzlySRnx3t2V080oU-eoDEJlAqbIz0u2_Y:1cq4af5jb

How do I extract the bold part session id always?
Please help.

Re: Regex help extracting session ID

reverse — Wed, 26 Jun 2019 17:15:52 GMT

@jnudell_2 Please guide.

@Vijeta Please guide.

Re: Regex help extracting session ID

jnudell_2 — Wed, 30 Sep 2020 01:03:57 GMT

Hi @reverse
You can try this regex:

... [ your search stuff ] ...

| rex "^\S+\s+\d{4}\(?<session_id>[^\]+)\*"

Data without the asterisks (*):

... [ your search stuff ] ...

| rex "^\S+\s+\d{4}(?<session_id>[a-zA-Z0-9-_]+:[a-zA-Z0-9]+)\s"

If you know that the session id is ALWAYS preceded by four 0's, I would use this instead:

... [ your search stuff ] ...

| rex "^\S+\s+0000(?<session_id>[a-zA-Z0-9-_]+:[a-zA-Z0-9]+)\s"

Re: Regex help extracting session ID

reverse — Wed, 26 Jun 2019 17:26:40 GMT

@jnudell_2 it gave me blanks in splunk..

https://regex101.com/r/vzbrqU/1

Re: Regex help extracting session ID

reverse — Wed, 26 Jun 2019 17:28:09 GMT

https://regex101.com/r/vzbrqU/2

Re: Regex help extracting session ID

Vijeta — Wed, 26 Jun 2019 17:45:47 GMT

@reverse Try this

rex field=_raw  "\d{2}.\d{3}.\d{2}.\d{2} 0000\*(?<id>\S+)\*"

Re: Regex help extracting session ID

reverse — Wed, 26 Jun 2019 17:55:13 GMT

hey @Vijeta thanks but no luck ..
Please see here
https://regex101.com/r/vzbrqU/3

Re: Regex help extracting session ID

niketn — Wed, 26 Jun 2019 18:02:59 GMT

@reverse try the following rex command and confirm:

| rex "^[^\s]+\s(?<session_id>[^\s]+)\s"

Re: Regex help extracting session ID

reverse — Wed, 26 Jun 2019 18:07:55 GMT

Thanks @niketnilay .. but did not work ..
Please see here
regexr.com/4ggc2

Re: Regex help extracting session ID

jnudell_2 — Wed, 26 Jun 2019 18:47:33 GMT

Your sample included asterisk symbols, and your regex sample does not. If there are no asterisk symbols you would use a different regex. I have updated the answer.

Re: Regex help extracting session ID

reverse — Wed, 26 Jun 2019 18:54:02 GMT

@jnudell_2 I was trying to make it bold for highlighting purposes .. apologies for the confusion..
it appears that your answer is not updated..

Re: Regex help extracting session ID

reverse — Wed, 26 Jun 2019 18:58:34 GMT

Thanks a ton Sir

Re: Regex help extracting session ID

reverse — Wed, 26 Jun 2019 19:03:00 GMT

Worked like a Charm ...Many thanks again! @jnudell_2