Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Parse some text from log

claudio9494
New Member
‎02-06-2019 02:20 AM

Hi everyone,
i've got some log like this:

[2019-02-01 14:51:43][P][APPLICATION/controllers/access_controller.php:166  in access_controller::_get_authenticated_user()] [24418549=Laetitia resoludor] _get_authenticated_user -> session_start
[2019-02-01 14:51:43][P][APPLICATION/mappers/exam_mapper.php:15 SQL->query_single_row()  in exam_mapper::getExam()] [24418549=Laetitia resoludor] [DB] INIT: mysql:host=hidden.com;dbname=myapp
[2019-02-01 14:51:43][P][APPLICATION/mappers/exam_mapper.php:15 SQL->query_single_row()  in exam_mapper::getExam()] [24418549=Laetitia resoludor] [SQL][myapp/mysql] 
SELECT *
        FROM app_exam 
        INNER JOIN  app_qcm ON app_exam.id_qcm = app_qcm.id_qcm
        WHERE app_exam.id_exam = 4506873

[2019-02-01 14:51:43][P][APPLICATION/mappers/exam_mapper.php:15 SQL->query_single_row()  in exam_mapper::getExam()] [24418549=Laetitia resoludor] [SQL][myapp/mysql] 
[2019-02-01 14:51:52][P][APPLICATION/mappers/exam_login_mapper.php:231 SQL->query_all()  in exam_login_mapper::selectAllByIdExamWithoutXML3()] [24418549=Laetitia resoludor] [SQL][myapp/mysql] 
SELECT id_exam_sheet,  points, note, current_question, total_question,options
        FROM app_exam_login
        INNER JOIN app_exam_sheet ON app_exam_login.id_exam_login = app_exam_sheet.id_exam_login
        where app_exam_login.id_exam=4506873
        order by id_exam_sheet;

i need to parse the [24418549=Laetitia resoludor] the field inside the box bracket (numberfield=name) can change,
how i can do that?
i've find a regex that can do that "[0-9]\d+=([A-Z])\w+ \w+" how i can apply that to splunk search and reporting?

Tags (2)
0 Karma
Reply

rshah_splunk
Splunk Employee
Splunk Employee
‎02-06-2019 04:45 AM

You can use rex command to accomplish your task.

Ex. | rex field=_raw "[0-9]\d+=(?[A-Z]\w+\s+\w+)"

This will extract the value in field called "myfield"
Reference: https://docs.splunk.com/Documentation/Splunk/7.2.3/SearchReference/Rex,

0 Karma
Reply

claudio9494
New Member
‎02-06-2019 07:20 AM

thanks, how i can extract from all event ?

0 Karma
Reply

rshah_splunk
Splunk Employee
Splunk Employee
‎02-07-2019 03:02 AM

All event means ? Can you help me understand ?
Just to note that as we have provided field=_raw, we will be applying that regex on entire raw event.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...