Other Usage
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

need to trim search result from left till occurange of PulseSecure: and get everything after that

aliasgar215
Explorer
‎12-27-2021 01:18 AM

Need to trim search result from left till occurange of PulseSecure: and get everything after that. Note post PulseSecure: line length and character may vary. Charcter is mix or alfabet, number, special characters etc

Sample:-

Dec 27 06:29:37 AAAAAA PulseSecure: 2021-12-27 06:29:37 - AAAAAA  - [110.1.1.1] Default Network::aa.aa.aa(AAA_BBB)[BB_CC_EEE]

I need result as below to be saved in field Extracted

2021-12-27 06:29:37 - AAAAAA  - [110.1.1.1] Default Network::aa.aa.aa(AAA_BBB)[BB_CC_EEE]

Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎12-27-2021 01:51 AM 
| rex "PulseSecure: (?<Extracted>.*)"
0 Karma
Reply

aliasgar215
Explorer
‎12-27-2021 02:02 AM

i have to extract from field _raw the string portion after PulseSecure: till end of the log

0 Karma
Reply

inventsekar
SplunkTrust
SplunkTrust
‎12-27-2021 06:57 AM

i have to extract from field _raw the string portion after PulseSecure: till end of the log

 

Pls run this and update us what result you get:

yourbasesearch | rex field=_raw "PulseSecure: (?<Extracted>.*)" | table Extracted

 

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma
Reply

aliasgar215
Explorer
‎12-27-2021 05:58 PM

still not working, the extracted field is empty

0 Karma
Reply

inventsekar
SplunkTrust
SplunkTrust
‎12-28-2021 04:07 AM

Hi @aliasgar215 ..
this is a basic rex and there is no way that this can go wrong. so you are doing some simple mistakes, you should reply some sample messages and your complete search query, then only this can be troubleshooted. hope you understand, thanks. 

 

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma
Reply

aliasgar215
Explorer
‎12-27-2021 01:57 AM

Extracted column came empty not working

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎12-27-2021 02:05 AM

Here is an example in regex101.com showing it working - the test string is the string you provided - if this does not match your actual events, please provide more examples

https://regex101.com/r/PnGp13/1 

Reply

aliasgar215
Explorer
‎12-27-2021 03:42 AM

my data is un _raw field, so to copy my data with your filter to extracted field, is any thing missing in below syntax.

 

| rex "PulseSecure (?<Extracted>.*)"

0 Karma
Reply

scelikok
SplunkTrust
SplunkTrust
‎12-27-2021 10:39 PM

Hi @aliasgar215,

You have missing : after PulseSecure,  could you please try below? Maybe there are nonprintable characters after :

| rex "PulseSecure:\s+(?<Extracted>.*)"

 

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma
Reply

aliasgar215
Explorer
‎12-28-2021 01:36 AM

still same, not working

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎12-28-2021 02:26 AM

Please can you share more events in a code block </> so we can try to see what might be different

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎12-27-2021 04:35 AM 
| rex field=un_raw "PulseSecure: (?<Extracted>.*)"
0 Karma
Reply
Get Updates on the Splunk Community!

Accelerating Observability as Code with the Splunk AI Assistant

We’ve seen in previous posts what Observability as Code (OaC) is and how it’s now essential for managing ...

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

 Splunk is More Than Just the Web Console For Digital Forensics and Incident Response (DFIR) practitioners, ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...