topic Re: Rex need help in Splunk Search

Rex need help

smarechal — Wed, 25 Jan 2012 12:44:21 GMT

Hello,

I need to keep data in bold on this message:

Message=Client IP [193.50.00.00:45780] with username [p.watson@domain.fr] connected successfully to server [10.1.10.160:2598], resource [Outlook 2007] using protocol [ICA].

Is someone could help me with rex, i don't know regex at all.

Thanks a lot!!

Re: Rex need help

dwaddle — Wed, 25 Jan 2012 13:46:33 GMT

I might suggest reading up on regular expressions - they are kinda critical for what Splunk does. But, to get you started...

| rex "Client IP \[(?<clientip>[^]]+)\] with username \[(?<username>)[^]]+)\] connected successfully to server \[(?<server>[^]]+)\], resource \[(?<resource>[^]]+)\]"

Here's how this is supposed to work. Within regex, [ and ] denote a set of characters. So, [aeiou] will match a single vowel -- a, or e, or i, or o, or u. Putting a ^ as the first character of the set says "match anything not in this set". The + means "one or more of these", and we escape (backslash) the [ and ] when we mean them literally. So, \[(?<clientip>[^]]+)\] means something like "an open square bracket, followed by one or more of anything that is not a closed square bracket, followed by a closed square bracket." The wrapping of (?<clientip> .... ) says to assign the field name clientip to what's inside the parentheses.

Now, go read http://www.regular-expressions.info/ and get up to speed 🙂

Re: Rex need help

smarechal — Wed, 25 Jan 2012 14:27:16 GMT

Thank you a lot for your exemple! 🙂

Re: Rex need help

dwaddle — Wed, 25 Jan 2012 14:30:23 GMT

you're welcome. If you don't mind, please accept the answer by clicking the little check mark to the left of it