Splunk Search

Can you help me with a field extraction using REGEX?

rohitvjoshi
Path Finder

Hi all,

I am getting an event in the below format:

 28/01/2019
    07:20:54.000    
 USERNAME           FROM             LATEST
Test1            10.0.0.1          Jan 25 15:42:07 2018
admin          10.0.1.31        Jan 15 14:11:26 2019
osadmin      10.0.10.12     Jan 23 16:38:12 2019
awa              10.13.5.21     Oct 1 14:15:16 2018

I am trying to extract USERNAME , FROM ,LATEST as a field using field extraction method. I tried the REGEX for Username like this :
^(?P\w+\s+), but when I am running the field extraction , it is giving me the Results "USERNAME" only .

Please help me to extract USERNAME,FROM,LATEST from the event via field extraction.

Thanks

Rohit

Tags (1)
0 Karma
1 Solution

chrisyounger
SplunkTrust
SplunkTrust

Is each line a different event? When you are trying to get regex's correct, you can test them directly in the search like this:

<your search> | rex "^\s*(?<a_username>\S+)\s+(?<a_from>\S+)\s+(?<a_latest>.+)

Then you should see your fields extracted. if they aren't correct, adjust the rex as required.

View solution in original post

0 Karma

rutdesanti
New Member

Try this one:

>  | rex "^(?P<myfield>\w\s\w\s\w)"
0 Karma

mayurr98
Super Champion

hi can you try this:

index=your_index | rex field=_raw "(?<username>\w+)\s(?<from>\d{1,2}\.\d{1,2}\.\d{1,2}\.\d{1,2})\s(?<latest>.+)"

if there are multiple usernames in 1 event then you need to add max_match=0 in rex command.

let me know if this helps!

0 Karma

rohitvjoshi
Path Finder

No Luck 😞

0 Karma

mayurr98
Super Champion

can you paste your entire event in 101010 sample code as it looks like in splunk.

0 Karma

chrisyounger
SplunkTrust
SplunkTrust

Is each line a different event? When you are trying to get regex's correct, you can test them directly in the search like this:

<your search> | rex "^\s*(?<a_username>\S+)\s+(?<a_from>\S+)\s+(?<a_latest>.+)

Then you should see your fields extracted. if they aren't correct, adjust the rex as required.

0 Karma

rohitvjoshi
Path Finder

No , this is Single event which gives me the information about the users who logged in into UNIX Servers.

0 Karma

chrisyounger
SplunkTrust
SplunkTrust

Try this then:

<your search> | multikv noheader=t | rex "^\s*(?<a_username>\S+)\s+(?<a_from>\S+)\s+(?<a_latest>.+)

0 Karma

rohitvjoshi
Path Finder

Thanks ,It workes 🙂

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...