topic Re: Extract text from Message field in Splunk Search

How to extract text from Message field

HMIPowell — Tue, 31 May 2022 13:48:44 GMT

This should be something simple to figure out, but I can't get it to work. I want to extract username from Message field of Sec Event Log

Message=NPS Extension for Azure MFA: CID: 6gof474f-4g9d-894f-asb-9abffedxs618 : Access Accepted for user Barry.Allen@LexLIndustries.org with Azure MFA response: Success and message: session r334r562-cf4f-7584-afc5-essdfs4dd67

I want to pull the email address after 'user' in message and assign it to a field. Any help appreciated.

Re: Extract text from Message field

96nick — Wed, 19 May 2021 19:13:25 GMT

Hey HMIPowell,

If your goal was to do this at search time (meaning in your search) you will use the rex command to accomplish this. There are multiple ways to do the regex and the final solution will depend on what the other logs in your search look like. One way to accomplish this field extraction is to use lookaheads and lookbehinds.

| yoursearch | rex field=Message "((?<email>)?<=user)(.+?(?=with))" | restofsearch

This will extract the email field by taking the text between (and not including) the words 'user' and 'with'. This may not work in your environment if other similar logs are present.

Re: Extract text from Message field

dhirendra761 — Wed, 19 May 2021 20:27:04 GMT

| makeresults | eval Message="NPS Extension for Azure MFA: CID: 6gof474f-4g9d-894f-asb-9abffedxs618 : Access Accepted for user Barry.Allen@LexLIndustries.org with Azure MFA response: Success and message: session r334r562-cf4f-7584-afc5-essdfs4dd67" | rex field=Message "user (?<email>.*) with"

Re: Extract text from Message field

HMIPowell — Thu, 20 May 2021 11:47:53 GMT

I was able to use the following to get what I needed.

| rex field=Message "\S*user (?<TestField>\S*)"

Thanks for some of the ideas

Re: Extract text from Message field

vaishalireddy — Tue, 31 May 2022 06:12:33 GMT

What is <TestField> here?