Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to extract field with rex?

altink
Builder
‎01-17-2023 09:47 AM

Dear All.

When searching some database log as
index=my_db ....
I have a field named "statement"  with content as example below:

The login packet used to open the connection is structurally invalid; the connection has been closed. Please contact the vendor of the client library. [CLIENT: 192.20.21.22]

I need to create a new field, named IP2, with the IP address as above.

In general, the rex command must look for the text between  "[CLIENT: " and "]"

Your help is appreciated

best regards
Altin

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎01-17-2023 10:28 AM

@altink 

Are you looking for this?

| makeresults 
| eval raw="[CLIENT: 192.20.21.22]"
| rename raw as _raw 
|rename comment as "upto this is sample data" 
| rex field=_raw "\[CLIENT:(?<IP2>.*)\]"

 

Thanks
KV
If any of my replies help you to solve the problem Or gain knowledge, an upvote would be appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

altink
Builder
‎01-17-2023 10:40 AM

I am not getting:

Why makeresults should be there
I have an existing field "statement" from which I need to get the IP, instead of a _raw one
Do not understand part "rename comment .." - I have no field named "comment"

referring to part
 eval raw="[CLIENT: 192.20.21.22]"

part 192.20.21.22 is NOT fixed,  it is just from the example above, it is variable - what I want to get as field IP2


regards
Altin

0 Karma
Reply
Solved! Jump to solution

bowesmana
SplunkTrust
SplunkTrust
‎01-17-2023 06:22 PM

When people reply with solutions they will often post a block of code starting with | makeresults, which means this is an example which you can copy/paste to a Splunk search window and run to demonstrate the solution.

If you do that, you will see that it will create a dummy example and then extract a new field called IP2 with the address as need. The "rename..." is simply telling you that up to the final line, is an example setting up a solution for you.

As @kamlesh_vaghela has shown, the last line is the rex statement you need.

Reply
Solved! Jump to solution

altink
Builder
‎01-18-2023 08:51 AM

Thank you for your answer too

 

regards
Altin

0 Karma
Reply
Solved! Jump to solution
Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎01-17-2023 10:28 AM

@altink 

Are you looking for this?

| makeresults 
| eval raw="[CLIENT: 192.20.21.22]"
| rename raw as _raw 
|rename comment as "upto this is sample data" 
| rex field=_raw "\[CLIENT:(?<IP2>.*)\]"

 

Thanks
KV
If any of my replies help you to solve the problem Or gain knowledge, an upvote would be appreciated.

0 Karma
Reply
Solved! Jump to solution

altink
Builder
‎01-18-2023 08:55 AM

Thank you very much for the solution

regards
Altin

ps. upvote is "accept as solution"?

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...