Splunk Dev

rex command

itishree
Explorer

 I have event like this from here i have to extract bold name  like :

Burp-collab

Qualys_scanner_RPA

SIE-PT-BAU-1

SIE-PT-BAU-2Kali

 

can any one help me on this

 

 

<166>2020-09-11T12: [Originator@6870 sub=Vmsvc.vm:/vmfs/volumes/5b33d479-61618708-d3cd-d094665b5e96/Burp-Collab/Burp-Collab.vmx opID=1bcac8c3 user=root]
<13>2020-09-08T05: /vmfs/volumes/5b33d479-61618708-d3cd-d094665b5e96/Qualys_scanner_RPA/Qualys_scanner_RPA.vmx: Connected to mks-fd
<164>2020-09-11T13:[Originator@6876 sub=Vmsvc.vm:/vmfs/volumes/5b33d479-61618708-d3cd-d094665b5e96/SIE-PT-BAU-1/SIE-PT-BAU-1.vmx] Failed to find activation record, event user unknown.
<166>2020-09-08T05:54:57.060Z siscesxi01.sisc-lab.com Hostd: info hostd[2099583] [Originator@6876 sub=Vmsvc.vm:/vmfs/volumes/5b33d479-61618708-d3cd-d094665b5e96/SIE-PT-BAU-2Kali/SIE-PT-BAU-2Kali.vmx opID=1bca6b2a user=root] Ticket issued for mks service to user: root

 

 

Labels (1)
0 Karma
1 Solution

thambisetty
SplunkTrust
SplunkTrust

values will be extracted new field called "newfield"

| rex "(?<newfield>[^\/]+)(?=.vmx)"
————————————
If this helps, give a like below.

View solution in original post

thambisetty
SplunkTrust
SplunkTrust
| index=yourindex
| rex "(?<newfield>[^\/]+)(?=.vmx)"
| table newfield
————————————
If this helps, give a like below.
0 Karma

thambisetty
SplunkTrust
SplunkTrust

values will be extracted new field called "newfield"

| rex "(?<newfield>[^\/]+)(?=.vmx)"
————————————
If this helps, give a like below.

itishree
Explorer

thanx for ur response but i am  not getting that  specific field 

0 Karma

itishree
Explorer

  count

<13>2020-09-14T09:15:07Z  vmauthd[6227095]: Local connection for1
<13>2020-09-14T10:28:09Z vmauthd[6232159]: Local connection for1
<166>2020-09-14T08:58:37.120Z  Hostd: info hostd[2099584] [Originator@6876 sub=Libs opID=vim-cmd-c1-6005 user=dcui] Found1
<166>2020-09-14T08:58:37.120Z  Hostd: info hostd[2099584] [Originator@6876 sub=Libs opID=vim-cmd-c1-6005 user=dcui] Starting

 

getting result like this  

i want only the name of that particular field

0 Karma

samsplunks
Explorer

Following the previous answer, simply use a stats command:

| index=yourindex
| rex "(?<newfield>[^\/]+)(?=.vmx)"
| stats latest(_raw), count by newfield

 

0 Karma

thambisetty
SplunkTrust
SplunkTrust

if the value matches with regular expression then newfield will have values otherwise no.

the table below doesn't have values you posted in question.  

————————————
If this helps, give a like below.
0 Karma

itishree
Explorer

| rex "(?<VMX>[^\/]+)\.vmx"

 

This one works...thanx for ur help

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...