Splunk Enterprise

Using rex to filter fields

leandromatperei
Path Finder

Hello everyone,

I have the following pattern of logs and I'm trying to use rex to filter the values, but I'm having problems because of + in some events, can you help me?

I started doing it like this:  | rex field=_raw "attr_actor_agent_id\s(?<agent_id>.*)"


I need to get only the last 04 digits after "_"

Example: 1243, 3232, 1122, 5454, etc.

 

attr_actor_agent_id [str] = "LB_DFSVGLQ_1243"
attr_actor_agent_id [str] = "AT_APARPRI_3232"	
attr_actor_agent_id [str] = "TR_REGIBEL_1122"	
attr_actor_agent_id [str] = "GP_DAYAPAN_5454"	
attr_actor_agent_id [str] = "LB_BIANIBR_5454"	
attr_actor_agent_id [str] = "AS_NAYRVIE_3232"	
attr_actor_agent_id [str] = "AS_LUMANAS_4343"	
attr_actor_agent_id [str] = "AS_MBCEVDJ_9111"
attr_actor_agent_id [str] = "LB_SILVWAN_4343"

 

 

Labels (1)
Tags (1)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust
rex "attr_actor_agent_id\s\[str\]\s\=\s\"[\w_]+_(?<agent_id>\d+)\""

View solution in original post

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
rex "attr_actor_agent_id\s\[str\]\s\=\s\"[\w_]+_(?<agent_id>\d+)\""
0 Karma