Dashboards & Visualizations

How to extract the field from raw logs

aditsss
Motivator

Hi Everyone,

How can I extract the highlighted field from raw logs:

ARC EVENT RECEIVED FROM SOURCE ,RoutingPath:blaze-team_e-dmrupload

ARC EVENT RECEIVED FROM SOURCE ,RoutingPath:blaze-team_g

ARC SUCCESSFULLY UPDATED RESPONSE BACK TO SOURCE OR SF ,RoutingPath:blaze-team_e-dmrupload, Body:null

ARC SUCCESSFULLY UPDATED RESPONSE BACK TO SOURCE OR SF ,RoutingPath:blaze-team_g ,Body:{

Thanks in advance

Labels (3)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

The rex command can extract that field quite easily provided a rule can be written for the field.  What is the format of a valid RoutingPath name?  Is it always "blaze-team_" followed by a letter?

---
If this reply helps you, Karma would be appreciated.
0 Karma

aditsss
Motivator

@richgalloway 

its not always blaze team it could be mf ,of-gsn like this also.

How can we make a general regex.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Rex (regex) is looking for a pattern - you should work out what pattern of letters, numbers, spaces and punctuation you are looking for; this is for both the anchor and the match. Your anchor appears to be "RoutingPath:", but the question is what is the match pattern? For example, "word-word_letter" (blaze-team_g), "word_letter" (mf_a), "word-word_word" (of-gsm_xyz). In the rex expression word would be replaced by \w+, - replaced by \- and letter by \w for example, giving "\w+\-\w+_\w", "\w+_\w", and "\w+\-\w+_\w+" respectively.

0 Karma

aditsss
Motivator

@ITWhisperer 

Can you please provide me the regex.

Currently my logs are like this:

ARC EVENT RECEIVED FROM SOURCE ,RoutingPath:blaze-team_e-dmrupload

ARC EVENT RECEIVED FROM SOURCE ,RoutingPath:blaze-team_g

ARC EVENT RECEIVED FROM SOURCE ,RoutingPath:blaze-team_b-ivurtupload

ARC EVENT RECEIVED FROM SOURCE ,RoutingPath:mf-gsn-ivurtupload

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
RoutingPath:(?<team>\w+\-\w+)

gcusello
SplunkTrust
SplunkTrust

Hi @aditsss,

to take al the condition you need you have to use two regexes and collapse results using eval, something like this:

| rex "RoutingPath:(?<RoutingPath1>[^-]*-[^-\n]*)(\-\w+)"
| rex "RoutingPath:(?<RoutingPath2>[^-]*-[^-\n]*)\n"
| eval RoutingPath=coalesce(RoutingPath1,RoutingPath2)

Ciao.

Giuseppe

Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...