Getting Data In

How to extract a field(X) in splunk where it comes right after the another field (Y)?

pavanae
Builder

I have the event as follows 

 

2021-07-12T18:40:56 host_abc MAIN 1 19 1.0.12.34 user_abc "ABCDEF GHIJ KLMN"................

 

From the above I am trying to extract the string which is between the double quotes which comes right after the username field

 

where user_abc is a field value of username field. 

 

 

Labels (1)
Tags (3)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

Unfortunately, there is command to "extract the quoted string that follows the username field" so we have to do it manually.  If there's only one quoted string in the event then this should do it.

| rex "\\\"(?<fieldName>[^\\\"]+)"

If there are multiple quoted strings then we'll have to narrow down the one we want.  This regex looks for quotes after a word that follows a number.

| rex "\d+\s\S+\s\\\"(?<fieldName>[^\\\"]+)"
---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

Unfortunately, there is command to "extract the quoted string that follows the username field" so we have to do it manually.  If there's only one quoted string in the event then this should do it.

| rex "\\\"(?<fieldName>[^\\\"]+)"

If there are multiple quoted strings then we'll have to narrow down the one we want.  This regex looks for quotes after a word that follows a number.

| rex "\d+\s\S+\s\\\"(?<fieldName>[^\\\"]+)"
---
If this reply helps you, Karma would be appreciated.

pavanae
Builder

Thanks for the solution. My event is multiple quoted string Also, the username field contains the value in the below similar format. 

 

A123456

 

For the scenario, does the second Regex works?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

The second regex should work, but if you want to be more specific, try this

| rex "\d+\s\[A-Z]\d{6}+\s\\\"(?<fieldName>[^\\\"]+)"
---
If this reply helps you, Karma would be appreciated.

JHannan
Explorer

If this format is set in stone, specifically spacing, use this format to extract the user and the field after it.

^(?:[^\s]+\s+){6}(?<user>[^\s]+)\s\"(?<alphabet>[^\"]+)\"

 

Splunk Regex Documentation

https://docs.splunk.com/Documentation/Splunk/8.2.1/Knowledge/AboutSplunkregularexpressions

Tutorial On Regular Expression

https://www.regular-expressions.info/

Regular Expression Playground to test your regexes

https://regex101.com/

 

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
| rex "\s\"(?<field>[^\"]+)"
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...