topic Attempting to use rex to extract a session id, how to deal with special characters? in Splunk Search

Attempting to use rex to extract a session id, how to deal with special characters?

john_glasscock — Thu, 22 Oct 2015 15:31:05 GMT

I need to extract a session ID out of events, but the special character is causing me problems.

Example:

Oct 22 08:33:30 192.168.7.251 postfix/smtp[76654]: 67BE5D1332D0A82F:
    System: MTA, Source (Reason): None, Action: sent
Oct 22 08:33:30 192.168.7.251 postfix/smtp[76654]: 67BE5D1332D0A82F: to=<jbubba@test.org>, delay=0.42, delays=0.41/0/0/0.01, dsn=2.6.0, status=sent (250 2.6.0  <jCAHxoxnu--VD2tu+N8wyHgGndydf=-5Q1H6CVBXc5z82iyQOmWA@mail.gmail.com> Queued mail for delivery)

I want to extract 67BE5D1332D0A82F.

sourcetype=WatchGuard  67BE5D1332D0A82F | rex field=_raw "Session_ID: (?<\]\:>.\w+)"

The above does not work.

Any help would be appreciated,
Thanks,
John

Re: Attempting to use rex to extract a session id, how to deal with special characters?

richgalloway — Thu, 22 Oct 2015 16:38:43 GMT

Your rex command is looking for the string "Session_ID: ", but that string does not exist in your examples. This search finds the string you want.

sourcetype=WatchGuard  67BE5D1332D0A82F | rex "\]: (?<session_id>\w+)"

Re: Attempting to use rex to extract a session id, how to deal with special characters?

somesoni2 — Thu, 22 Oct 2015 16:41:36 GMT

Try something like this

sourcetype=WatchGuard  67BE5D1332D0A82F  | rex "([^:]+:){3}(?<SessionId>[^:]+)"

Re: Attempting to use rex to extract a session id, how to deal with special characters?

john_glasscock — Thu, 22 Oct 2015 18:04:31 GMT

Thank you, I appreciate the help.
I did take it one step farther by adding exact count for session_id to eliminate some random hits.

sourcetype=WatchGuard  67BE5D1332D0A82F | rex "\]: (?\w{16})"