topic Re: Why am I unable to extract cookie field? in Splunk Search

Why am I unable to extract cookie field?

jhilton90 — Thu, 07 Jul 2022 17:01:47 GMT

So I'm trying to extract a field called "secureToken=tokenvalue" from our akamai logs. However when I try to extract the field, it gives me the following error message:

The extraction failed. If you are extracting multiple fields, try removing one or more fields. Start with extractions that are embedded within longer text strings.

I have attempted to manually edit the regex, but I have not a lot of experience with regex so any help would be greatly appreciated

Thanks

Re: Unable to extract cookie field

Azeemering — Thu, 07 Jul 2022 15:15:23 GMT

Please provide a couple of sample events.

Re: Unable to extract cookie field

jhilton90 — Thu, 07 Jul 2022 15:44:17 GMT

Connection: close
Set-Cookie: secureToken=11111112222233333445; Path=/; Secure; HttpOnly
Server-Timing: cdn-cache; desc=MISS
Server-Timing: edge; dur=164
Server-Timing: origin; dur=158
Strict-Transport-Security: max-age=15768000

Re: Unable to extract cookie field

Azeemering — Thu, 07 Jul 2022 16:05:49 GMT

This works as a basic example:

| makeresults | eval _raw="Connection: close Set-Cookie: secureToken=11111112222233333445; Path=/; Secure; HttpOnly Server-Timing: cdn-cache; desc=MISS Server-Timing: edge; dur=164 Server-Timing: origin; dur=158 Strict-Transport-Security: max-age=15768000" | rex "secureToken=(?<secureToken>\d+)"

Re: Unable to extract cookie field

jhilton90 — Thu, 07 Jul 2022 16:15:21 GMT

Hi thanks for the reply!

I just want to extract the secureToken field though.

Thanks

Re: Unable to extract cookie field

Azeemering — Thu, 07 Jul 2022 16:17:04 GMT

I did exactly that in my reply with the part:

| rex "secureToken=(?<secureToken>\d+)"

Re: Unable to extract cookie field

Azeemering — Thu, 07 Jul 2022 16:32:38 GMT

To make it more clear how a regular expression field extractions works:

The rex syntax:

rex field=<field> <PCRE named capture group>

The PCRE named capture group works the following way:

(?<name>regex)
The above expression captures the text matched by regex into the group name.

If you don’t specify the field name, rex applies to _raw (which is the entire event).

Another example to make it more clear:

My example event is:

Thu Jan 16 2018 00:15:06 mailsv1 sshd[5258]: Failed password for invalid user borisjohnson from 194.8.74.23 port 3626 ssh2

I want to extract the username from this:

I do that with:

index=test sourcetype=demo_events | rex user\s(?<username>\w+)\s

This will create the field name username with the extracted value of borisjohnson

From regex101:

Re: Why am I unable to extract cookie field?

jhilton90 — Thu, 07 Jul 2022 17:16:07 GMT

Okay great!

However, I want to extract the "secureToken" bit from the following:

Set-Cookie: secureToken=11111112222233333445; Path=/; Secure; HttpOnly

So I can add add it into the interesting fields section when searching in splunk

Re: Why am I unable to extract cookie field?

Azeemering — Thu, 07 Jul 2022 17:21:48 GMT

I really don't understand you? I just gave you the answer on a silver platter wrapped in a gold bow tie....

Do you actually understand my answer or are you trolling me?

The following spl command will extract the secureToken value and create a field called secureToken.

| rex "secureToken=(?<secureToken>\d+)"

If you still don't understand I suggest you take the splunk course: https://www.splunk.com/en_us/training/courses/using-fields.html

Re: Why am I unable to extract cookie field?

jhilton90 — Fri, 08 Jul 2022 08:51:00 GMT

I get it now don't worry, I was just a bit slow that is all!

Thank you for your help