Other Usage
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

need to trim search result from left till occurange of PulseSecure: and get everything after that

aliasgar215
Explorer
‎12-27-2021 01:18 AM

Need to trim search result from left till occurange of PulseSecure: and get everything after that. Note post PulseSecure: line length and character may vary. Charcter is mix or alfabet, number, special characters etc

Sample:-

Dec 27 06:29:37 AAAAAA PulseSecure: 2021-12-27 06:29:37 - AAAAAA  - [110.1.1.1] Default Network::aa.aa.aa(AAA_BBB)[BB_CC_EEE]

I need result as below to be saved in field Extracted

2021-12-27 06:29:37 - AAAAAA  - [110.1.1.1] Default Network::aa.aa.aa(AAA_BBB)[BB_CC_EEE]

Labels (1)
Labels
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎12-27-2021 01:51 AM 
| rex "PulseSecure: (?<Extracted>.*)"
0 Karma
Reply

aliasgar215
Explorer
‎12-27-2021 02:02 AM

i have to extract from field _raw the string portion after PulseSecure: till end of the log

0 Karma
Reply

inventsekar
SplunkTrust
SplunkTrust
‎12-27-2021 06:57 AM

i have to extract from field _raw the string portion after PulseSecure: till end of the log

 

Pls run this and update us what result you get:

yourbasesearch | rex field=_raw "PulseSecure: (?<Extracted>.*)" | table Extracted

 

0 Karma
Reply

aliasgar215
Explorer
‎12-27-2021 05:58 PM

still not working, the extracted field is empty

0 Karma
Reply

inventsekar
SplunkTrust
SplunkTrust
‎12-28-2021 04:07 AM

Hi @aliasgar215 ..
this is a basic rex and there is no way that this can go wrong. so you are doing some simple mistakes, you should reply some sample messages and your complete search query, then only this can be troubleshooted. hope you understand, thanks. 

 

0 Karma
Reply

aliasgar215
Explorer
‎12-27-2021 01:57 AM

Extracted column came empty not working

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎12-27-2021 02:05 AM

Here is an example in regex101.com showing it working - the test string is the string you provided - if this does not match your actual events, please provide more examples

https://regex101.com/r/PnGp13/1 

Reply

aliasgar215
Explorer
‎12-27-2021 03:42 AM

my data is un _raw field, so to copy my data with your filter to extracted field, is any thing missing in below syntax.

 

| rex "PulseSecure (?<Extracted>.*)"

0 Karma
Reply

scelikok
SplunkTrust
SplunkTrust
‎12-27-2021 10:39 PM

Hi @aliasgar215,

You have missing : after PulseSecure,  could you please try below? Maybe there are nonprintable characters after :

| rex "PulseSecure:\s+(?<Extracted>.*)"

 

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma
Reply

aliasgar215
Explorer
‎12-28-2021 01:36 AM

still same, not working

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎12-28-2021 02:26 AM

Please can you share more events in a code block </> so we can try to see what might be different

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎12-27-2021 04:35 AM 
| rex field=un_raw "PulseSecure: (?<Extracted>.*)"
0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...