topic How do I extract this field from my sample data using rex? in Splunk Search

How do I extract this field from my sample data using rex?

packet_hunter — Thu, 02 Jun 2016 20:12:40 GMT

Scenario: I need to extract the User out of the following field msg using rex. So, I need abcdefg

Group <XGroupPolicy> User <abcdefg> IP <192.168.0.1> SVC Message: 16/NOTICE: The user has requested to disconnect the connection..

Search:

index = main | rex field=msg [???]

Thank you!

Re: How do I extract this field from my sample data using rex?

somesoni2 — Thu, 02 Jun 2016 20:22:16 GMT

I don't see the value 'abcdefg' in the your sample data. Could you confirm which string from your sample data you need extracted?

Re: How do I extract this field from my sample data using rex?

richgalloway — Thu, 02 Jun 2016 20:24:29 GMT

Assuming the text you want is the second "word" of msg, then this should do it.

... | rex field=msg "\s(?<user>[^\s]*)\s" | ...

You may want to get to know regex101.com. It's a great way to experiment with regular expressions until you find what works.

Re: How do I extract this field from my sample data using rex?

packet_hunter — Thu, 02 Jun 2016 20:26:09 GMT

when I was pasting, the msg field it was not rendering, does it make sense now?
abcdefg is a redacted username

Re: How do I extract this field from my sample data using rex?

richgalloway — Thu, 02 Jun 2016 20:28:47 GMT

Based on your comment, this answer is similar to the one for your previous question.

... | rex field=msg "User (?<user>[^ ]*)" | ...

Re: How do I extract this field from my sample data using rex?

somesoni2 — Thu, 02 Jun 2016 20:28:48 GMT

Try this then

 index = main | rex field=msg "User\s+\<(?<User>[^\>]+)\>"

Re: How do I extract this field from my sample data using rex?

supabuck — Thu, 02 Jun 2016 20:29:28 GMT

Hi Packet Hunter,

This probably is not the cleanest but here is how I would pull all the fields from that simultaneously.

index=blah sourcetype=blah 
| rex "Group\s<(?P<Group>\w+)>\sUser\s<(?P<User>\w+)>\sIP\s<(?P<IP_Address>\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3})>\sSVC\sMessage:\s(?P<Message_Num>\d+)\/\w+:\s(?P<Message>(.*))" 
| table Group User IP_Address Message_Num Message

Re: How do I extract this field from my sample data using rex?

packet_hunter — Thu, 02 Jun 2016 20:31:12 GMT

Thank you that works

Re: How do I extract this field from my sample data using rex?

packet_hunter — Thu, 02 Jun 2016 20:35:05 GMT

Your code works partially - probably because my first paste did not render correctly and your code worked on that.

I appreciate your help and the refer to the link. Yes REX is a hurdle for me.

This question is similar to the other you answered, however the msg field values are different which is why I asked for more help with a different rex.

Thank you!!

Re: How do I extract this field from my sample data using rex?

packet_hunter — Thu, 02 Jun 2016 20:48:14 GMT

Error in 'rex' command: Encountered the following error while compiling the regex '^(?P\w+)\s(?P\w+)\sIP\s<(?P\d{1': Regex: missing )

Re: How do I extract this field from my sample data using rex?

packet_hunter — Thu, 02 Jun 2016 20:48:41 GMT

Thank you for your attempt I will study it for educational purposes

Re: How do I extract this field from my sample data using rex?

supabuck — Fri, 03 Jun 2016 18:55:45 GMT

Sorry, I am pretty new to regex built within searches. What I usually do is copy a sample message and paste it into the TEST STRING at regex101.com.

After doing that you can work on building your regex and it will highlight the groups in real time!

For searches to rex out result fields I usually will do something like:

index=myIndex sourcetype=jws | rex "^\d+\s+\w+\s\d+\s\d+:\d+:\d+,\d+\s(?P<value1>\w+)\s\[]\[]\[]\s\[(?P<value2>\w+)\]\s(?P<value3>(.*))\s\[]\[(.*)\n(?P<value3>(.*))" | table _time host  value1 value2 value3 value4

Then if you want to do another search on the results for that you can add this onto the search

| search value1="somevalue"

and it will narrow down the results to only include it where value1="somevalue" in the resulting table.

Re: How do I extract this field from my sample data using rex?

packet_hunter — Fri, 03 Jun 2016 19:53:35 GMT

thank you for the response