All Apps and Add-ons

Search Command: Quantify: How to filter events with only last string last word of event

stagare
New Member
2019-08-26 20:21:18 10.1.82.42 GET /aaaa/bbbb/ccc/ddddd/eeeee username=test&branch=KEL&account=123456789 443 ABCD\HTTP/secure.abc.jss.pre 11.12.13.14 Java1.7.0_191 - 200 0 0 65018

I want only the last value 65018.
I am not able to achieve it with regex.

0 Karma

Sukisen1981
Champion
| makeresults 
|  eval x="2019-08-26 20:21:18 10.1.82.42 GET /aaaa/bbbb/ccc/ddddd/eeeee username=test&branch=KEL∾count=123456789 443 ABCD\HTTP/secure.abc.jss.pre 11.12.13.14 Java1.7.0_191 - 200 0 0 65018"
| rex field=x ".*\s+(?<lastfld>.*)"

replace 'x' by _raw

    | rex field=_raw ".*\s+(?<lastfld>.*)"
0 Karma

Sukisen1981
Champion

hi @stagare

Please accept the answer if it significantly helped resolve your issue or let us know if there are any more issues

0 Karma
Get Updates on the Splunk Community!

Understanding Generative AI Techniques and Their Application in Cybersecurity

Watch On-Demand Artificial intelligence is the talk of the town nowadays, with industries of all kinds ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Using the Splunk Threat Research Team’s Latest Security Content

REGISTER HERE Tech Talk | Security Edition Did you know the Splunk Threat Research Team regularly releases ...