Getting Data In
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- extract field between two single quotes
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sam90651
Loves-to-Learn Lots
01-16-2024
01:14 PM
Sorry i am a noob to regex and splunk regex especially.
Regex to extarct all that is between the two single quotes. there will never be a single quote in the name.
EG extract the client code after word client and same for transaction
2024-01-16 15:04:22.7117 [135] INFO [javalang] Starting Report for client '0SD45' user 'user1' for transaction '123456'
@fieldextraction @Anonymous
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ITWhisperer
SplunkTrust
01-16-2024
03:07 PM
Try something like this
| rex "client\s'(?<client>[^']*)'"
| rex "transaction\s'(?<transaction>[^']*)'"- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sam90651
Loves-to-Learn Lots
01-17-2024
07:40 AM
Apologies here are events
Event 1:
2024-01-17 09:35:10.3370 [44] INFO[.java..TransLogCallback] Starting Report for client 'OBI96' user 'auto' for transaction '4826143 '' Report ID '222' - Retry #1 Date : 1/17/2024 Time : 9:35:10 AM Message : Mark transaction results: 1, Query : UPDATE transactions SET queued = 0, processing = 1, serviceip = ? , timestarted = now() WHERE clientcode = ? AND username = ? AND transid = ? (100.00.000.00, OBI96, auto, 4826143 ), port = 2222^^-------------------------------------------------------------------^^
Event 2:
2024-01-17 08:41:35.9174 [94] INFO [.java..TransLogCallback] OBI96-auto-4826143 Report Finished successfully at 8:41:35 AM on 1/17/2024 ^^-----------------------------------------------
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ITWhisperer
SplunkTrust
01-17-2024
07:57 AM
So the Report Completed message occurs before the Report Started message?
Assuming it is actually the latest (by _time) that you want to keep, try something like this
index="index" sourcetype=host=hq " Mark transaction results" "port = 2022"
| rex "client\s'(?<client>[^']*)'"
| rex "transaction\s'(?<transaction>[^']*)'"
| rex "user\s'(?<user>[^']*)'"
| rex "(?<user_transaction>\S+)\sReport Finished successfully"
| eval user_transaction = if(isnull(user_transaction), client . "-" . user . "-" . transaction, user_transaction)
| stats latest(_raw) as _raw by user_transaction
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sam90651
Loves-to-Learn Lots
01-18-2024
10:41 AM
yes it does. this actually worked. appreciate a ton
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sam90651
Loves-to-Learn Lots
01-17-2024
07:00 AM
This is my first query which returns a table user_transaction in order 0BI96-auto-4826143
index="index" sourcetype=host=hq " Mark transaction results" "port = 2022"| rex "client\s'(?<client>[^']*)'" | rex "transaction\s'(?<transaction>[^']*)'" | rex "user\s'(?<user>[^']*)'" | table client,transaction,user | eval user_transaction = client . "-" . user . "-" . transaction | table user_transaction
2024-01-17 08:41:35.9174 [94] INFO [.java..TransLogCallback] OBI96-auto-4826143 Report Finished successfully at 8:41:35 AM on 1/17/2024
this is my actual data i want to match too
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ITWhisperer
SplunkTrust
01-16-2024
03:07 PM
Try something like this
| rex "client\s'(?<client>[^']*)'"
| rex "transaction\s'(?<transaction>[^']*)'"- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sam90651
Loves-to-Learn Lots
01-16-2024
05:20 PM
Great this works. i went ahead and added eval to it table client,transaction | eval user_transaction = client . "-" . transaction
now the second query returns below result
2024-01-16 19:08:13.3284 [43] INFO [.ServiceClassTraCack] 0LO19-1901631 Report Finished successfully at 7:08:13 PM on 1/16/2024
my first query is returning result as 0LO19-1901631, i want to match these results to above query along with Report Finished snippet
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ITWhisperer
SplunkTrust
01-17-2024
05:38 AM
Try something like this (although to be fair, you haven't shared any sample events or details of your current searches, so this may not work)
| rex "(?<user_transaction>\S+)\sReport Finished successfully"
| eval user_transaction = if(isnull(user_transaction), client . "-" . transaction, user_transaction)
| stats latest(_raw) as _raw by user_transaction- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sam90651
Loves-to-Learn Lots
01-17-2024
06:20 AM
oh i am sorry my current search returns below sample
0BI96-auto-4826143
I need to match this result and correlate if its matching 0BI96-auto-4826143 Report finished and return as finished column, basically comparing two strings
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ITWhisperer
SplunkTrust
01-17-2024
06:31 AM
Again, without seeing your actual data, this may not work
| rex "(?<user_transaction>\S+)\sReport Finished successfully"
| eval user_transaction = if(isnull(user_transaction), client . "-auto-" . transaction, user_transaction)
| stats latest(_raw) as _raw by user_transaction- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sam90651
Loves-to-Learn Lots
01-17-2024
07:13 AM
This is my first query which returns a table user_transaction in order 0BI96-auto-4826143
index="index" sourcetype=host=hq " Mark transaction results" "port = 2022"| rex "client\s'(?<client>[^']*)'" | rex "transaction\s'(?<transaction>[^']*)'" | rex "user\s'(?<user>[^']*)'" | table client,transaction,user | eval user_transaction = client . "-" . user . "-" . transaction | table user_transaction
2024-01-17 08:41:35.9174 [94] INFO [.java..TransLogCallback] OBI96-auto-4826143 Report Finished successfully at 8:41:35 AM on 1/17/2024
this is my actual data i want to match too
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ITWhisperer
SplunkTrust
01-17-2024
07:18 AM
If you aren't going to share your events, it is difficult to advise you further than I have already, especially when you appear to be ignoring my suggestions.
Get Updates on the Splunk Community!
Detecting Brute Force Account Takeover Fraud with Splunk
This article is the second in a three-part series exploring advanced fraud detection techniques using Splunk. ...
Buttercup Games: Further Dashboarding Techniques (Part 9)
This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
Buttercup Games: Further Dashboarding Techniques (Part 8)
This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
