topic How to fetch unique session strings in Splunk Search

How to fetch unique session strings

rajasek — Thu, 26 Feb 2015 16:53:14 GMT

How can we get all unique session strings from log which can contains all combinations of characters , symbols and digits,
below are the examples of log. i want to target highlighted strings.

ERROR - zrnGuiw32!1424968190354 rrr19876055

**** Error _2zG4484222!-131990868 gdffg19876055

INFO - 2XH-s0aGm2!-1319620932!14267 yyu9879tyuy

Thanks

Re: How to fetch unique session strings

somesoni2 — Fri, 27 Feb 2015 23:06:48 GMT

Are these full log entries OR you just posted a portion of it?
If these are full log entries and if your unique session strings are always in 3rd position, then try something like this

your base search | rex "^([^\s]+\s){2}(?<SessionString>[^\s]+)"

Re: How to fetch unique session strings

cpetterborg — Sat, 28 Feb 2015 00:46:43 GMT

somesoni2's example works great if it is always in the 3rd position. But if that is not the case, you may want additional options. If the session id's are the 2nd to the last fields on the line, then you can do this:

your base search | rex "\s(?<SessionString>[^\s]+)\s+[^\s]+$"

So much depends on seeing a complete set of representative examples. Hopefully these are really representative of the data.

Re: How to fetch unique session strings

rajasek — Mon, 02 Mar 2015 19:41:20 GMT

It worked for me. Thank you so much.
No those are not full log entries, but the regex which you provided is worked 🙂