Alerting

Extracting fields

MicMoo
Explorer

I have the following log

2021-08-03T14:12:40,872 th=foo cl=bla p=INFO {"tag":"bla","goo":"SPA","msg":{"dir":"in","correlation":"2035456876870723587526","pack":"ebcdic","0":"1234","3":"001234","4":"000000001234","6":"000000001234","7":"0803141240","11":"521464","41":"51400055","47":"ERT0001234000\\ARDABABDGDG\\GRE1234\\VTE01123400824\\GDE00\\SSER\\Ort612348\\Ort072\\rtI0\\","49":"124","61":"12340000004"}}

I would like to extract the two fields in RED and Pink and rename field to Co

The fields in BOLD GREEN will be key and must be present, rest might or might not.

This is what I got so far 

index=bla  | rex \"47\":\"*ARD(?<CODA>.{4})

however this is not working and filed is not getting populated. 

Thank you

Labels (1)
0 Karma
1 Solution

MicMoo
Explorer

Solved, should have simplified my search 

 

\\\\ARD(?<RED>\w{4})(?<PINK>\w{4})

View solution in original post

Tags (1)
0 Karma

MicMoo
Explorer

Thank you @venkatasri , nearly there , when I use what you suggested nothing is extracted , however if I remove the "ARD" string ,  red and pink where populated but not all cases with the correct info 

0 Karma

venkatasri
SplunkTrust
SplunkTrust

Can you share the samples that's not working.

0 Karma

MicMoo
Explorer

Solved, should have simplified my search 

 

\\\\ARD(?<RED>\w{4})(?<PINK>\w{4})

Tags (1)
0 Karma

venkatasri
SplunkTrust
SplunkTrust

@MicMoo Can you try this?

<your_search> 
| rex "47\".+?\\\\ARD(?<red>\w{4})(?<pink>\w{4})"
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...