Splunk Enterprise Security
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Need help to write regex.

vaibhavbharadwa
Observer
‎08-01-2019 11:28 AM

I have 2 sets of logs. I am supposed to extract the content between the last 2 '#' among the below logs.
Please help.

<12>Jan 2 20:29:35 10.10.10.10 -: SampleLog%%1428 # MINOR # jegan # SSO # User login # SSO # Success # User login successful.#

<12>Dec 25 00:56:59 10.10.10.11 null: SampleLog%%1362 # Minor # diness # 0 # Service manager # Validate details # LocalMMS # Fail # 10.10.10.255 # User name: diness. Failure reason: The user name does not match the password or the account does not exist. #

information which is written in Bold needs to be extracted into a field called as 'message'

I tried with the following regex :
(?(field_name_with_angular_brackets)User..\s.)

Please let me know how to do this.

Also please let me know how to combine regex of 2 fields into a single field.

0 Karma
Reply

jpolvino
Builder
‎08-01-2019 12:27 PM

Another option with just 1 step:

(your search) | rex "#\s(?!.*# )(?<message>[^#]+)#$"

Then if you want to create a new field from two others, just use a period between them.

...
| eval f1="abc"
| eval f2="123"
| eval f3=f1.f2
| eval f4=f1."_".f2

So f3 will be abc123 and f4 will be abc_123

0 Karma
Reply

woodcock
Esteemed Legend
‎08-01-2019 12:14 PM

Like this:

| makeresults 
| eval raw="Jan 2 20:29:35 10.10.10.10 -: SampleLog%%1428 # MINOR # jegan # SSO # User login # SSO # Success # User login successful.#:::Dec 25 00:56:59 10.10.10.11 null: SampleLog%%1362 # Minor # diness # 0 # Service manager # Validate details # LocalMMS # Fail # 10.10.10.255 # User name: diness. Failure reason: The user name does not match the password or the account does not exist. #"
| makemv delim=":::" raw
| mvexpand raw
| rename raw AS _raw
| rex "#\s*(?<message>[^#]+)\s*#\s*$"
0 Karma
Reply

niketn
Legend
‎08-01-2019 12:12 PM

@vaibhavbharadwaj try the following regular expression

|  rex "\#\s*(?<message>[^\#]+)\s*#$"

Following is a run anywhere example based on the sample data provided. Please try out and confirm!

|  makeresults
|  fields - _time
|  eval data="Jan 2 20:29:35 10.10.10.10 -: SampleLog%%1428 # MINOR # jegan # SSO # User login # SSO # Success # User login successful.#;Dec 25 00:56:59 10.10.10.11 null: SampleLog%%1362 # Minor # diness # 0 # Service manager # Validate details # LocalMMS # Fail # 10.10.10.255 # User name: diness. Failure reason: The user name does not match the password or the account does not exist. #"
|  makemv data delim=";"
|  mvexpand data
|  rename data as _raw
|  rex "\#\s*(?<message>[^\#]+)\s*#$"
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

mydog8it
Builder
‎08-01-2019 12:06 PM

Do you have access to the search heads to modify the transforms and props.conf files?

0 Karma
Reply

saurabhkharkar
Path Finder
‎08-01-2019 12:04 PM 
| makeresults
|eval string="Jan 2 20:29:35 10.10.10.10 -: SampleLog%%1428 # MINOR # jegan # SSO # User login # SSO # Success # User login successful.#"
| rex mode=sed field=string "s/\#*$//"
| rex field=string "(?<message>[^\#]*$)"
| table string message

Explanation : 

| rex mode=sed field=string "s/\#*$//" -> replaces the last # with nothing
| rex field=string "(?<message>[^\#]*$)" -> captures everything after the last # and dumps it in a new field 'message'
0 Karma
Reply
Get Updates on the Splunk Community!

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...

Splunk MCP & Agentic AI: Machine Data Without Limits

Discover how the Splunk Model Context Protocol (MCP) Server can revolutionize the way your organization uses ...