Solved: Using rex to filter fields

leandromatperei · ‎11-27-2020

Hello everyone,

I have the following pattern of logs and I'm trying to use rex to filter the values, but I'm having problems because of + in some events, can you help me?

I started doing it like this: | rex field=_raw "attr_actor_agent_id\s(?<agent_id>.*)"

I need to get only the last 04 digits after "_"

Example: 1243, 3232, 1122, 5454, etc.

attr_actor_agent_id [str] = "LB_DFSVGLQ_1243"
attr_actor_agent_id [str] = "AT_APARPRI_3232"	
attr_actor_agent_id [str] = "TR_REGIBEL_1122"	
attr_actor_agent_id [str] = "GP_DAYAPAN_5454"	
attr_actor_agent_id [str] = "LB_BIANIBR_5454"	
attr_actor_agent_id [str] = "AS_NAYRVIE_3232"	
attr_actor_agent_id [str] = "AS_LUMANAS_4343"	
attr_actor_agent_id [str] = "AS_MBCEVDJ_9111"
attr_actor_agent_id [str] = "LB_SILVWAN_4343"

ITWhisperer · ‎11-27-2020

rex "attr_actor_agent_id\s\[str\]\s\=\s\"[\w_]+_(?<agent_id>\d+)\""

View solution in original post

ITWhisperer · ‎11-27-2020

rex "attr_actor_agent_id\s\[str\]\s\=\s\"[\w_]+_(?<agent_id>\d+)\""

Using rex to filter fields

using Splunk Enterprise

Take the 2021 Splunk Career Survey for $50 in Amazon Cash

Using Machine Learning for Hunting Security Threats

Observability Newsletter Highlights | March 2023