Splunk Search

After extracting a field with rex, how can I search for a specific value for this field?

IRHM73
Motivator

Hi, I wonder whether someone may be able to help me please.

I'm using the search below to extract a field call MatchID

index=main auditSource=authenticator auditType=ServiceReceivedRequest detail.input="Request to /authenticator/verify"
| rex field="detail.requestBody" "matchId\":\"(?<MatchID>[^\"]+)"
| table MatchID

Could you tell me please how I would search for a specific MatchID.

Many thanks and kind regards

Chris

0 Karma
1 Solution

jeffland
SplunkTrust
SplunkTrust

Like so?

index=main auditSource=authenticator auditType=ServiceReceivedRequest detail.input="Request to /authenticator/verify"
| rex field="detail.requestBody" "matchId":"(?<MatchID>[^"]+)"
| table MatchID
| search "1234"

View solution in original post

0 Karma

Runals
Motivator

"Could you tell me please how I would search for a specific "MatchID"."

Bake that into the field extractions for that sourcetype so the field automagically is available 😃

Beyond that as jeffland mentioned you can search command but believe you have to specify the field so to tweak his answer I'd propose something like

index=main auditSource=authenticator auditType=ServiceReceivedRequest detail.input="Request to /authenticator/verify"
 | rex field="detail.requestBody" "matchId":"(?<MatchID>[^"]+)"
 | search MatchID="1234"

That said with how he structured the answer the data is already formatted if you are just wanting to show that field. Otherwise you'd likely want to add formatting commands at the end of what I propose. Based on the subject line of your post you could use the where command. Often search and where are fairly interchangeable though there are cases where using one over the other is advantageous. For example let's say some of the MatchIDs end in numbers, some don't and you only wanted to look at the ones that did end in numbers. You could do

... | where match(MatchID,"\d+$")

Of course this all overlooks a basic precept of Splunk which is if you are looking for specific MatchIDs the best solution, if possible, is to put that into your base search which can be done even if there isn't a field for it. Maybe something like

 index=main auditSource=authenticator auditType=ServiceReceivedRequest detail.input="Request to /authenticator/verify" "matchid\":\"foo"

jeffland
SplunkTrust
SplunkTrust

Because the last command before search was a table with only that specific field, I gave a broader answer. But you are right that as soon as it comes to using actual values for MatchID in a "proper" search, it's a good idea to specify the field you want to search in (with | search MatchID="123").

0 Karma

IRHM73
Motivator

Many thanks and kind regards.

Chris

0 Karma

IRHM73
Motivator

Hi @Runals, thank you for taking the time to reply to my post.

As you can see I have received an answer from @jeffland, but thank you very much for all the information you kindly provided which I've found very useful.

Many thanks and kind regards

Chris

0 Karma

jeffland
SplunkTrust
SplunkTrust

Like so?

index=main auditSource=authenticator auditType=ServiceReceivedRequest detail.input="Request to /authenticator/verify"
| rex field="detail.requestBody" "matchId":"(?<MatchID>[^"]+)"
| table MatchID
| search "1234"
0 Karma

IRHM73
Motivator

HI @jeffland, thank you for taking the time to come back to me with this. The solution is perfect.

Many thanks and kind regards

Chris

0 Karma

richgalloway
SplunkTrust
SplunkTrust

What does the data you are trying to match look like?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...