Splunk Search
Highlighted

After extracting a field with rex, how can I search for a specific value for this field?

Motivator

Hi, I wonder whether someone may be able to help me please.

I'm using the search below to extract a field call MatchID

index=main auditSource=authenticator auditType=ServiceReceivedRequest detail.input="Request to /authenticator/verify"
| rex field="detail.requestBody" "matchId\":\"(?<MatchID>[^\"]+)"
| table MatchID

Could you tell me please how I would search for a specific MatchID.

Many thanks and kind regards

Chris

0 Karma
Highlighted

Re: After extracting a field with rex, how can I search for a specific value for this field?

SplunkTrust
SplunkTrust

What does the data you are trying to match look like?

---
If this reply helps you, an upvote would be appreciated.
0 Karma
Highlighted

Re: After extracting a field with rex, how can I search for a specific value for this field?

Champion

Like so?

index=main auditSource=authenticator auditType=ServiceReceivedRequest detail.input="Request to /authenticator/verify"
| rex field="detail.requestBody" "matchId":"(?<MatchID>[^"]+)"
| table MatchID
| search "1234"

View solution in original post

0 Karma
Highlighted

Re: After extracting a field with rex, how can I search for a specific value for this field?

Motivator

HI @jeffland, thank you for taking the time to come back to me with this. The solution is perfect.

Many thanks and kind regards

Chris

0 Karma
Highlighted

Re: After extracting a field with rex, how can I search for a specific value for this field?

Motivator

"Could you tell me please how I would search for a specific "MatchID"."

Bake that into the field extractions for that sourcetype so the field automagically is available 😃

Beyond that as jeffland mentioned you can search command but believe you have to specify the field so to tweak his answer I'd propose something like

index=main auditSource=authenticator auditType=ServiceReceivedRequest detail.input="Request to /authenticator/verify"
 | rex field="detail.requestBody" "matchId":"(?<MatchID>[^"]+)"
 | search MatchID="1234"

That said with how he structured the answer the data is already formatted if you are just wanting to show that field. Otherwise you'd likely want to add formatting commands at the end of what I propose. Based on the subject line of your post you could use the where command. Often search and where are fairly interchangeable though there are cases where using one over the other is advantageous. For example let's say some of the MatchIDs end in numbers, some don't and you only wanted to look at the ones that did end in numbers. You could do

... | where match(MatchID,"\d+$")

Of course this all overlooks a basic precept of Splunk which is if you are looking for specific MatchIDs the best solution, if possible, is to put that into your base search which can be done even if there isn't a field for it. Maybe something like

 index=main auditSource=authenticator auditType=ServiceReceivedRequest detail.input="Request to /authenticator/verify" "matchid\":\"foo"
Highlighted

Re: After extracting a field with rex, how can I search for a specific value for this field?

Motivator

Hi @Runals, thank you for taking the time to reply to my post.

As you can see I have received an answer from @jeffland, but thank you very much for all the information you kindly provided which I've found very useful.

Many thanks and kind regards

Chris

0 Karma
Highlighted

Re: After extracting a field with rex, how can I search for a specific value for this field?

Champion

Because the last command before search was a table with only that specific field, I gave a broader answer. But you are right that as soon as it comes to using actual values for MatchID in a "proper" search, it's a good idea to specify the field you want to search in (with | search MatchID="123").

0 Karma
Highlighted

Re: After extracting a field with rex, how can I search for a specific value for this field?

Motivator

Many thanks and kind regards.

Chris

0 Karma