Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Field extraction

smanojkumar
Communicator
‎09-06-2023 12:57 AM

Hi Splunkers!
   I need to extract the specific field which dosent consists of sourcetype in logs,

Fields to extract - OS, OSRelease

smanojkumar_0-1693987025541.png

 

smanojkumar_1-1693987025539.png

 


Thanks in Advance,

Manoj Kumar S

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎09-06-2023 03:36 AM

Hi @smanojkumar,

in this case, please try this:

| rex "OS\=\"*(?<OS>[^,\"]*).*OSRelease\=\"*(?<OSRelease>[^,\"]*)"

that you can test at https://regex101.com/r/SQFX88/1

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎09-06-2023 01:01 AM

Hi @smanojkumar ,

if you have the pair fieldname=fieldvalue, you should already have the extraction.

anyway, you could use two regexes like the following:

| rex "OS\=\"(?<OS>[^\"]*)"
| rex "OSRelease\=\"(?<OSRelease>[^\"]*)"

 Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

smanojkumar
Communicator
‎09-06-2023 03:17 AM

Hi @gcusello ,

   Thanks for your response!

   At rare cased we don't have " " in OS and OSRelease, What would be the regex, that should extract in both the cases, Like

OS="Windows", OS=Windows, OSRelease="jhvdhjc", OSRelease=nsvcv

Thanks in advance!
Manoj Kumar S

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎09-06-2023 03:25 AM

Hi @smanojkumar,

if you don't have quotes, you should be sue about the log forma to find a different rule, could you share some samples of your logs with and without quotes?

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

smanojkumar
Communicator
‎09-06-2023 03:32 AM

Without ""

info_search_time=1693969036.181, OS=Linux, isBo=false, isFo=false, SCOPE=Unknown, isVIP=false, OSType=Linux, isCACP=false, isCMDB=false, isLost=false, Country=Unknown, isIndus=false, isMcAfee=true, isStolen=false, OSRelease=Unknown,

With ""

info_search_time=1693969036.181, OS="Windows Server 2019 Standard", isBo=true, isFo=false, SCOPE="IN", isVIP=false, OSType=Win, isCACP=false, isCMDB=true, isLost=false, Country=Germany, isIndus=false, isMcAfee=true, isStolen=false, OSRelease="EL Server 7.4 (Maipo", mcafee_LastCommunication="2023-09-05 20:30:35",

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎09-06-2023 03:36 AM

Hi @smanojkumar,

in this case, please try this:

| rex "OS\=\"*(?<OS>[^,\"]*).*OSRelease\=\"*(?<OSRelease>[^,\"]*)"

that you can test at https://regex101.com/r/SQFX88/1

Ciao.

Giuseppe

Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...