Solved: Extract specific lines from Message

JM12 · ‎03-18-2021

Hello All,

I am just learning Splunk and using rex but could you guys help me with my syntax to assist me in extract specific information from the Message table? Here is my sample syntax:

host="*<hostname>" EventCode=4624 OR EventCode=4724 | table _time host user Message | dedup user

Results in Message:

"An account was successfully logged on.

Subject:

Security ID:

Account Name:

Account Domain:

LogonID:

ETC"

I really just want to pull the first part where it says "An account was successfully logged on." Or the first part of any message that does not need include the rest of the Message after. I know the syntax of the search could most definitely be better but I am just learning how to do these searches so if anyone has a better recommendation on how to do these searches please let me know. Otherwise if you could recommend how to filter the rest out through rex, that would be awesome as well! Thank you all in advance!

richgalloway · ‎03-18-2021

Here's a simple rex command that uses sed to replace everything after the first period with nothing.

host="*<hostname>" EventCode=4624 OR EventCode=4724 
| fields _time host user Message 
| dedup user
| rex field=Message mode=sed "s/([^\.]+\.)([\s\S]*)/\1/"

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎03-18-2021

Here's a simple rex command that uses sed to replace everything after the first period with nothing.

host="*<hostname>" EventCode=4624 OR EventCode=4724 
| fields _time host user Message 
| dedup user
| rex field=Message mode=sed "s/([^\.]+\.)([\s\S]*)/\1/"

---
If this reply helps you, Karma would be appreciated.

JM12 · ‎03-18-2021

Hey Richgalloway,

This one helped!! thanks! if its not too much trouble is there a site where I can read up on the sed that is being filtered? it looks complex. Say I wanted to filter out not just the beginning line, where can I reference it to pick up other lines? is this similar to linux Awk?

richgalloway · ‎03-18-2021

sed and awk both use regular expressions (regex), but I wouldn't try to learn sed by studying awk. Start with a good regex tutorial, like regexone.com, and use regex101.com for testing your expressions.

In Splunk, sed commands almost always begin with "s" followed a delimiter, and expression to match, the same delimiter, and expression for the replacement text, the same delimiter again, and optional flags (usually "g" for global or all matches).

Plug the first expression into regex101.com to see a full breakdown of what it does. It's not that complex. The first capture group is the text to keep - the first sentence. The rest matches any number of other characters, expressed as a set of space and non-space characters. This allows the expression to match newlines.

The replacement expression is simply a backreference to the first capture group.

---
If this reply helps you, Karma would be appreciated.

Vardhan · ‎03-18-2021

Hi @JM12 ,

use the below rex command to extract the messages from the evnet.

| rex "Message="(?<message>[^""]*)" "

JM12 · ‎03-18-2021

Hey Vardhan, I did that but I did not get anything, it did say missing a search command before the "^"

Extract specific lines from Message

dashboard

development

search

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life