topic Re: Rex to extract string with words and characters in Splunk Search

Rex to extract string with words and characters

AK89 — Fri, 08 Dec 2023 15:58:09 GMT

Looking for help with this rex command. I want to capture the continuous string after "invalid user" whether it has special characters or not. Here are some examples from my data set (abc is just an example, it could be any word or character)

invalid user abc
invalid user abc@def
invalid user $abc
invalid user abc\def
invalid user abc-def

If I run the below, I am able to successfully extract the invaliduser if it is a word. But this does not work if there is a special character

base search | rex "invalid user (?<invaliduser>\w+) "

I have figured out how to extract if there is a leading special character (W+\w+) or a special character in the middle (w+\W+\w+) but those aren't exactly what I'm looking for.

Is there a single rex command I can use to capture all possible results?

Re: Rex to extract string with words and characters

richgalloway — Fri, 08 Dec 2023 16:14:30 GMT

If the string ends with a space then you can extract it using this command

| rex "invalid user (?<invaliduser>\S+)"

If it ends with a comma or other character not part of the string then this command should do it

| rex "invalid user (?<invaliduser>[^,]+)"

Re: Rex to extract string with words and characters

AK89 — Fri, 08 Dec 2023 16:17:04 GMT

That's exactly what I needed. Thanks for the help!

Re: Rex to extract string with words and characters

inventsekar — Fri, 08 Dec 2023 21:55:52 GMT

Dear Splunk new learners...
https://www.youtube.com/@siemnewbies101/playlists

the primary objective of this youtube channel is to teach Splunk newbies / new learners the SPL commands and most importantly the regular expressions. pls check it out, thanks.