Solved: Extracting fields

MicMoo · ‎08-02-2021

I have the following log

2021-08-03T14:12:40,872 th=foo cl=bla p=INFO {"tag":"bla","goo":"SPA","msg":{"dir":"in","correlation":"2035456876870723587526","pack":"ebcdic","0":"1234","3":"001234","4":"000000001234","6":"000000001234","7":"0803141240","11":"521464","41":"51400055","47":"ERT0001234000\\ARDABABDGDG\\GRE1234\\VTE01123400824\\GDE00\\SSER\\Ort612348\\Ort072\\rtI0\\","49":"124","61":"12340000004"}}

I would like to extract the two fields in RED and Pink and rename field to Co

The fields in BOLD GREEN will be key and must be present, rest might or might not.

This is what I got so far

index=bla | rex \"47\":\"*ARD(?<CODA>.{4})

however this is not working and filed is not getting populated.

Thank you

MicMoo · ‎08-02-2021

Solved, should have simplified my search

\\\\ARD(?<RED>\w{4})(?<PINK>\w{4})

View solution in original post

MicMoo · ‎08-02-2021

Thank you @venkatasri , nearly there , when I use what you suggested nothing is extracted , however if I remove the "ARD" string , red and pink where populated but not all cases with the correct info

venkatasri · ‎08-02-2021

Can you share the samples that's not working.

MicMoo · ‎08-02-2021

Solved, should have simplified my search

\\\\ARD(?<RED>\w{4})(?<PINK>\w{4})

venkatasri · ‎08-02-2021

@MicMoo Can you try this?

<your_search> 
| rex "47\".+?\\\\ARD(?<red>\w{4})(?<pink>\w{4})"

Extracting fields

other

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?