Developing for Splunk Enterprise

rex command

Explorer

 I have event like this from here i have to extract bold name  like :

Burp-collab

Qualys_scanner_RPA

SIE-PT-BAU-1

SIE-PT-BAU-2Kali

 

can any one help me on this

 

 

<166>2020-09-11T12: [Originator@6870 sub=Vmsvc.vm:/vmfs/volumes/5b33d479-61618708-d3cd-d094665b5e96/Burp-Collab/Burp-Collab.vmx opID=1bcac8c3 user=root]
<13>2020-09-08T05: /vmfs/volumes/5b33d479-61618708-d3cd-d094665b5e96/Qualys_scanner_RPA/Qualys_scanner_RPA.vmx: Connected to mks-fd
<164>2020-09-11T13:[Originator@6876 sub=Vmsvc.vm:/vmfs/volumes/5b33d479-61618708-d3cd-d094665b5e96/SIE-PT-BAU-1/SIE-PT-BAU-1.vmx] Failed to find activation record, event user unknown.
<166>2020-09-08T05:54:57.060Z siscesxi01.sisc-lab.com Hostd: info hostd[2099583] [Originator@6876 sub=Vmsvc.vm:/vmfs/volumes/5b33d479-61618708-d3cd-d094665b5e96/SIE-PT-BAU-2Kali/SIE-PT-BAU-2Kali.vmx opID=1bca6b2a user=root] Ticket issued for mks service to user: root

 

 

Labels (1)
0 Karma
1 Solution

Champion

values will be extracted new field called "newfield"

| rex "(?<newfield>[^\/]+)(?=.vmx)"
————————————
If this helps, give a like below.

View solution in original post

Champion
| index=yourindex
| rex "(?<newfield>[^\/]+)(?=.vmx)"
| table newfield
————————————
If this helps, give a like below.
0 Karma

Champion

values will be extracted new field called "newfield"

| rex "(?<newfield>[^\/]+)(?=.vmx)"
————————————
If this helps, give a like below.

View solution in original post

Explorer

thanx for ur response but i am  not getting that  specific field 

0 Karma

Explorer

  count

<13>2020-09-14T09:15:07Z  vmauthd[6227095]: Local connection for1
<13>2020-09-14T10:28:09Z vmauthd[6232159]: Local connection for1
<166>2020-09-14T08:58:37.120Z  Hostd: info hostd[2099584] [Originator@6876 sub=Libs opID=vim-cmd-c1-6005 user=dcui] Found1
<166>2020-09-14T08:58:37.120Z  Hostd: info hostd[2099584] [Originator@6876 sub=Libs opID=vim-cmd-c1-6005 user=dcui] Starting

 

getting result like this  

i want only the name of that particular field

0 Karma

Engager

Following the previous answer, simply use a stats command:

| index=yourindex
| rex "(?<newfield>[^\/]+)(?=.vmx)"
| stats latest(_raw), count by newfield

 

0 Karma

Champion

if the value matches with regular expression then newfield will have values otherwise no.

the table below doesn't have values you posted in question.  

————————————
If this helps, give a like below.
0 Karma

Explorer

| rex "(?<VMX>[^\/]+)\.vmx"

 

This one works...thanx for ur help

0 Karma