topic Re: Rex fields from a log fle in Splunk Search

Rex fields from a log fle

rczone — Wed, 30 Sep 2020 04:02:53 GMT

I have the log snippet below want to extract id and hostname into 2 different fields

for example in the expected output from below is

id               host
rmk123     abc.bbb.com@hostname.com
rmc143     bdc.ab.cpm@hostname.com

[01/05/2020 13:06:21] BAUAJM_I_30031 Client [CA WAAE Auto:15515][5][abc@hostname.com:50019:12.304.593.10] [0x80c91100][02/05/2020 13:06:21.8474][0:rmk123@abc.bbb.com@hostname.com 0] API ID [34] execution started.

[01/05/2020 13:06:21] BAUAJM_I_30032 Client [CA WAAE Auto:15509][5][bdc.ab.cpm@hostname.com:12345:19.304.293.10] [0x28bbbfff][02/05/2020 13:06:21.6946][0:rmc143@bdc.ab.cpm@hostname.com 0] API ID [66] execution completed. Total time: 0.132519 seconds.

Please assist

Re: Rex fields from a log fle

somesoni2 — Wed, 05 Feb 2020 19:19:52 GMT

Assuming those values always located in the same relative position( 7th value from starting which are enclosed between square brackets), give this a try

your base search 
| rex "^\[([^\[]+\[){6}[^:]+:(?<id>[^\@]+)@(?<host>\S+)"

Regex101 example of the regex: https://regex101.com/r/1gPnL8/1

Re: Rex fields from a log fle

manjunathmeti — Thu, 06 Feb 2020 05:44:14 GMT

You can use below regex:

| rex field=<FIELD_NAME> "\[0:(?<id>[a-z0-9]+)@(?<name>[a-z@.]+) 0\]"

Test query:

| makeresults | eval test="[01/05/2020 13:06:21] BAUAJM_I_30031 Client [CA WAAE Auto:15515][5][abc@hostname.com:50019:12.304.593.10] [0x80c91100][02/05/2020 13:06:21.8474][0:rmk123@abc.bbb.com@hostname.com 0] API ID [34] execution started.&[01/05/2020 13:06:21] BAUAJM_I_30032 Client [CA WAAE Auto:15509][5][bdc.ab.cpm@hostname.com:12345:19.304.293.10] [0x28bbbfff][02/05/2020 13:06:21.6946][0:rmc143@bdc.ab.cpm@hostname.com 0] API ID [66] execution completed. Total time: 0.132519 seconds." | makemv delim="&" test  | mvexpand test | rex field=test "\[0:(?<id>[a-z0-9]+)@(?<name>[a-z@.]+) 0\]" | table id, name, test

Re: Rex fields from a log fle

vnravikumar — Thu, 06 Feb 2020 06:31:25 GMT

Hi @rczone

Try this

| makeresults 
| eval temp="[01/05/2020 13:06:21] BAUAJM_I_30031 Client [CA WAAE Auto:15515][5][abc@hostname.com:50019:12.304.593.10] [0x80c91100][02/05/2020 13:06:21.8474][0:rmk123@abc.bbb.com@hostname.com 0] API ID [34] execution started.,,

[01/05/2020 13:06:21] BAUAJM_I_30032 Client [CA WAAE Auto:15509][5][bdc.ab.cpm@hostname.com:12345:19.304.293.10] [0x28bbbfff][02/05/2020 13:06:21.6946][0:rmc143@bdc.ab.cpm@hostname.com 0] API ID [66] execution completed. Total time: 0.132519 seconds." 
| makemv delim=",," temp 
| mvexpand temp 
| rex field=temp "\[\S:(?P<id>[^\@]+)@(?P<host>[^\]]\S+)" 
| table id, host