Splunk Search

Matching String in line of texts in splunk

rakeshyv0807
Explorer

Hi,

I am quite new to splunk platform. Can you please help me out here with my requirement:

I have to write a logic in my query where if I encounter a particular text in the strings of data I need to pass that text as an entry in my table. Please refer to the following example.

I have a line of data like: javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e, v2580

(OR)

javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 775, v2580

If I encounter data 52e or data 775 in the line of text I need to make an entry in my result table a something like this:

subject error XFF XMSFCIP
xxxxxx data 52e xxxxxxxx xx.xxx.xx.xxx
xxxxxx data 775 xxxxxxxx xx.xxx.xx.xxx
xxxxxx data 775 xxxxxxxx xx.xxx.xxx.xx

Any help is greatly appreciated!

Thanks in advance

Tags (1)
0 Karma

tiagofbmm
Influencer

Hi

Use the strings you are looking for to filter the results, so:

source=yoursource index=yourindex "data 775" OR "data 52e"

Then use rex to extract the error code, like this :

| rex field=_raw "error\scode\s(?<error>\d+)"

( and do the same with the remaining fields I can't understand from your sample, subject, XFF and XMSFCIP)

And finally table everything

| table subject, error, XFF, XMSFCIP
0 Karma

rakeshyv0807
Explorer

Thank you, for your suggestion.

| rex field=errorLDAP "AcceptSecurityContext error,\s(?[^,]+),"

The above worked where errorLDAP holds either (I wrote an eval logic to consume only below string of data) :

javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e, v2580

(OR)

javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 775, v2580

0 Karma

niketn
Legend

@rakeshyv0807, Based on your question and sample data, if only assistance required by you is for extracting error field you can try the following rex command

<YourBaseSearch> "javax.naming.AuthenticationException:" "comment: AcceptSecurityContext error"
| rex "error,\s(?<error>[^,]+),"

If the remaining fields i.e. subject XFF XMSFCIP are also present in the sample log provided, please let us know their corresponding values so that we can assist you with those regular expressions as well.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

rakeshyv0807
Explorer

| rex field=errorLDAP "AcceptSecurityContext error,\s(?[^,]+),"

The above worked where errorLDAP holds either (I wrote an eval logic to consume only below string of data) :

javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e, v2580

(OR)

javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 775, v2580

0 Karma

niketn
Legend

Sorry your issue is not clear? Can you paste code and data as code using the code button i.e. 101010 so that special characters do not escape?

Have you tried the suggested query? What is the final output you need? Are all the fields already extracted or you need assistance with the field extraction? Please add more details so that community members can assist.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...