Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Field extraction

smanojkumar
Communicator
‎09-06-2023 12:57 AM

Hi Splunkers!
   I need to extract the specific field which dosent consists of sourcetype in logs,

Fields to extract - OS, OSRelease

smanojkumar_0-1693987025541.png

 

smanojkumar_1-1693987025539.png

 


Thanks in Advance,

Manoj Kumar S

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎09-06-2023 03:36 AM

Hi @smanojkumar,

in this case, please try this:

| rex "OS\=\"*(?<OS>[^,\"]*).*OSRelease\=\"*(?<OSRelease>[^,\"]*)"

that you can test at https://regex101.com/r/SQFX88/1

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎09-06-2023 01:01 AM

Hi @smanojkumar ,

if you have the pair fieldname=fieldvalue, you should already have the extraction.

anyway, you could use two regexes like the following:

| rex "OS\=\"(?<OS>[^\"]*)"
| rex "OSRelease\=\"(?<OSRelease>[^\"]*)"

 Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

smanojkumar
Communicator
‎09-06-2023 03:17 AM

Hi @gcusello ,

   Thanks for your response!

   At rare cased we don't have " " in OS and OSRelease, What would be the regex, that should extract in both the cases, Like

OS="Windows", OS=Windows, OSRelease="jhvdhjc", OSRelease=nsvcv

Thanks in advance!
Manoj Kumar S

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎09-06-2023 03:25 AM

Hi @smanojkumar,

if you don't have quotes, you should be sue about the log forma to find a different rule, could you share some samples of your logs with and without quotes?

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

smanojkumar
Communicator
‎09-06-2023 03:32 AM

Without ""

info_search_time=1693969036.181, OS=Linux, isBo=false, isFo=false, SCOPE=Unknown, isVIP=false, OSType=Linux, isCACP=false, isCMDB=false, isLost=false, Country=Unknown, isIndus=false, isMcAfee=true, isStolen=false, OSRelease=Unknown,

With ""

info_search_time=1693969036.181, OS="Windows Server 2019 Standard", isBo=true, isFo=false, SCOPE="IN", isVIP=false, OSType=Win, isCACP=false, isCMDB=true, isLost=false, Country=Germany, isIndus=false, isMcAfee=true, isStolen=false, OSRelease="EL Server 7.4 (Maipo", mcafee_LastCommunication="2023-09-05 20:30:35",

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎09-06-2023 03:36 AM

Hi @smanojkumar,

in this case, please try this:

| rex "OS\=\"*(?<OS>[^,\"]*).*OSRelease\=\"*(?<OSRelease>[^,\"]*)"

that you can test at https://regex101.com/r/SQFX88/1

Ciao.

Giuseppe

Reply
Get Updates on the Splunk Community!

Combine Multiline Logs into a Single Event with SOCK - a Guide for Advanced Users

This article is the continuation of the “Combine multiline logs into a single event with SOCK - a step-by-step ...

Everything Community at .conf24!

You may have seen mention of the .conf Community Zone 'round these parts and found yourself wondering what ...

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...