topic Re: Trouble extracting GUIDS and how to make a new field with rex? in Splunk Search

Trouble extracting GUIDS and how to make a new field with rex?

judges88 — Wed, 16 Nov 2022 16:33:38 GMT

Trying to get these UUID/GUIDs to extract from the message field. Hoping to create a rex to extract everything after 'fieldx: ' in the 8-4-4-4-12 character window separated by each , after that. Ive tried the "extract new fields " but there are well over 120 of these things and splunk doesnt like selecting all of that and filtering keeps throwing errors. And would rather not have to do this one by one.

These are embedded in the message field as stated earlier. Id like to make a new field with the rex if possible and name it "fieldx"

Any and all help is welcome.

"message: Filtered marking ids for DAC property 'fieldx': abc12345-b123-c456-d789-123abx789edc, de14fc5e-22av-87dd-65d9-7563a7pleqw3, "(<----there are about 120 more in a row of these)

Thanks in advance

Re: Trouble extracting GUIDS and how to make a new field with rex?

richgalloway — Wed, 16 Nov 2022 16:41:51 GMT

I hope you're not trying to validate the format of each GUID with regex because that is unnecessary. Just extract everything after "fieldx':" as-is. If you wish, you can split the extracted field on commas so each GUID is accessible using mvindex.

| rex "fieldx': (?<fieldx>.*)" | eval fieldx=split(fieldx,", ")

Re: Trouble extracting GUIDS and how to make a new field with rex?

judges88 — Wed, 16 Nov 2022 17:25:52 GMT

I would say im trying to validate the format. Just trying to take all the GUIDs ( they are all 8,4,4,4,12 ) and pull them out specifically into a new field called fieldX. I probably gave a poor description. What you gave me did work, but only if it specifies fieldX in the original message. Is there anyway to just pull out all numbers that match the 8-4-4-4-12 format into a new field?

Sorry i SUCK with rex type inputs.

Re: Trouble extracting GUIDS and how to make a new field with rex?

richgalloway — Wed, 16 Nov 2022 17:34:01 GMT

The OP was pretty clear about "fieldx:" being an eye-catcher, but this command should work with or without it.

| rex max_match=0 "(?<fieldx>\w{8}-\w{4}-\w{4}-\w{4}-\w{12})"

Re: Trouble extracting GUIDS and how to make a new field with rex?

judges88 — Wed, 16 Nov 2022 17:39:35 GMT

Yeah this was my fault and im sorry, not trying to disrespect anyone. I posted this and found a few more logs that contain same GUIDS that dont have that fieldx as part of the message. Sorry about that. But this did work so thank you. Again SUPER new to ever trying REX dont understand 100% of it.

Re: Trouble extracting GUIDS and how to make a new field with rex?

johnhuang — Wed, 16 Nov 2022 17:48:35 GMT

If you want to extract all guids after "fieldx":

| rex max_match=0 "(\'fieldx\':\s)?(?<fieldx_guids>\w{8}\-\w{4}-\w{4}-\w{4}-\w{12})(?:\,\s|\")"

If you want to extract all guids in the data:

| rex max_match=0 "(?<guids>\w{8}\-\w{4}-\w{4}-\w{4}-\w{12})"