topic Re: Filtering out part of a value in Splunk Search

Filtering out part of a value?

NizanCohen — Wed, 09 Nov 2022 15:10:15 GMT

Hi all.

I'm working with a FTP server which include a session number with each status and I wish to exclude the session number to be separate value to use later.

Example of the fields are:

[12345156]quit

[14365361]pass

I tried using replace "[*]" with * in cs_status but it won't remove the session number (inside the [] is the session number).

Basic search query:

"index=application sourcetype=FTPlogs"

Thank you for the assistance!

Re: Filtering out part of a value

gcusello — Wed, 09 Nov 2022 12:04:54 GMT

Hi @NizanCohen,

let me understand, are you speaking to replace "[9999]action" with "999action"?

do you mean at search time or at index time?

If at search time, you could use the rex command.

Ciao.

Giuseppe

Re: Filtering out part of a value

NizanCohen — Wed, 09 Nov 2022 13:00:51 GMT

I prefer making the session a separate field.

If possible without the []

Re: Filtering out part of a value

gcusello — Wed, 09 Nov 2022 13:57:30 GMT

Hi @NizanCohen,

yes you can do it, you need a regex, could you share a sample of your logs?

it should be something like this:

| rex field=your_field "^\[(?<session>\d+)\]"

Ciao.

Giuseppe

Re: Filtering out part of a value

NizanCohen — Wed, 09 Nov 2022 13:59:15 GMT

Hi.

Here's an example of two fields:

[1153909]type
[1168228]created

Re: Filtering out part of a value

NizanCohen — Wed, 09 Nov 2022 15:00:13 GMT

I managed to resolve it by using "extract new fields" and simply selected an example of each desired field and Splunk made the regex and the fields for me.

Thanks!

Re: Filtering out part of a value

gcusello — Thu, 10 Nov 2022 07:22:21 GMT

Hi @NizanCohen,

good for you, bu anyway I hint to learn to build your regexes by yourself because they are very much useful!

Please accept one answer for the other people of Community

Ciao and happy splunking.

Giuseppe

P.S.: Karma Points are appreciated 😉