Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Can you help me with a field extraction using REGEX?

rohitvjoshi
Path Finder
‎01-27-2019 11:31 PM

Hi all,

I am getting an event in the below format:

 28/01/2019
    07:20:54.000    
 USERNAME           FROM             LATEST
Test1            10.0.0.1          Jan 25 15:42:07 2018
admin          10.0.1.31        Jan 15 14:11:26 2019
osadmin      10.0.10.12     Jan 23 16:38:12 2019
awa              10.13.5.21     Oct 1 14:15:16 2018

I am trying to extract USERNAME , FROM ,LATEST as a field using field extraction method. I tried the REGEX for Username like this :
^(?P\w+\s+), but when I am running the field extraction , it is giving me the Results "USERNAME" only .

Please help me to extract USERNAME,FROM,LATEST from the event via field extraction.

Thanks

Rohit

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

chrisyounger
SplunkTrust
SplunkTrust
‎01-27-2019 11:47 PM

Is each line a different event? When you are trying to get regex's correct, you can test them directly in the search like this:

<your search> | rex "^\s*(?<a_username>\S+)\s+(?<a_from>\S+)\s+(?<a_latest>.+)

Then you should see your fields extracted. if they aren't correct, adjust the rex as required.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

rutdesanti
New Member
‎01-28-2019 09:00 AM

Try this one:

>  | rex "^(?P<myfield>\w\s\w\s\w)"
0 Karma
Reply
Solved! Jump to solution

mayurr98
Super Champion
‎01-28-2019 02:10 AM

hi can you try this:

index=your_index | rex field=_raw "(?<username>\w+)\s(?<from>\d{1,2}\.\d{1,2}\.\d{1,2}\.\d{1,2})\s(?<latest>.+)"

if there are multiple usernames in 1 event then you need to add max_match=0 in rex command.

let me know if this helps!

0 Karma
Reply
Solved! Jump to solution

rohitvjoshi
Path Finder
‎01-28-2019 03:31 AM

No Luck 😞

0 Karma
Reply
Solved! Jump to solution

mayurr98
Super Champion
‎01-28-2019 03:35 AM

can you paste your entire event in 101010 sample code as it looks like in splunk.

0 Karma
Reply
Solved! Jump to solution
Solution

chrisyounger
SplunkTrust
SplunkTrust
‎01-27-2019 11:47 PM

Is each line a different event? When you are trying to get regex's correct, you can test them directly in the search like this:

<your search> | rex "^\s*(?<a_username>\S+)\s+(?<a_from>\S+)\s+(?<a_latest>.+)

Then you should see your fields extracted. if they aren't correct, adjust the rex as required.

0 Karma
Reply
Solved! Jump to solution

rohitvjoshi
Path Finder
‎01-28-2019 03:32 AM

No , this is Single event which gives me the information about the users who logged in into UNIX Servers.

0 Karma
Reply
Solved! Jump to solution

chrisyounger
SplunkTrust
SplunkTrust
‎01-28-2019 03:47 AM

Try this then:

<your search> | multikv noheader=t | rex "^\s*(?<a_username>\S+)\s+(?<a_from>\S+)\s+(?<a_latest>.+)

0 Karma
Reply
Solved! Jump to solution

rohitvjoshi
Path Finder
‎01-28-2019 10:58 PM

Thanks ,It workes 🙂

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Lantern | Spotlight on Security: Adoption Motions, War Stories, and More

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Cloud | Empowering Splunk Administrators with Admin Config Service (ACS)

Greetings, Splunk Cloud Admins and Splunk enthusiasts! The Admin Configuration Service (ACS) team is excited ...

Tech Talk | One Log to Rule Them All

One log to rule them all: how you can centralize your troubleshooting with Splunk logs We know how important ...