Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Extract field using rex

osasfrancis
Path Finder
‎09-10-2021 04:46 PM

I have the below test raw logs

CEF:0|Forcepoint|Forcepoint DLP|8.8.0|55564097|DLP Syslog|2| act=Permitted duser=destuser@gmail.com fname=testfile.PDF.TXT - 11.01 KB msg=EndPoint Operation suser=User, Test cat=Test Category sourceServiceName=Endpoint Printing analyzedBy=Policy Engine testengine loginName=testuser1 sourceIp=N/A severityType=LOW sourceHost=testhost productVersion=8.0 maxMatches=0 timeStamp=2021-09-01 15:58:50.624 destinationHosts=N/A eventId=4762037341417287789

CEF:0|Forcepoint|Forcepoint DLP|8.8.0|55564097|DLP Syslog|2| act=Permitted duser=destuser@gmail.com fname=testfile.PDF.TXT - 11.01 KB msg=EndPoint Operation suser=User, Test cat=Test Category sourceServiceName=Endpoint Printing analyzedBy=Policy Engine testengine loginName=domain\\testuser sourceIp=N/A severityType=LOW sourceHost=testhost productVersion=8.0 maxMatches=0 timeStamp=2021-09-02 15:58:50.624 destinationHosts=N/A eventId=4762037341417287788

CEF:0|Forcepoint|Forcepoint DLP|8.8.0|55564097|DLP Syslog|2| act=Permitted duser=destuser@gmail.com fname=testfile.PDF.TXT - 11.01 KB msg=EndPoint Operation suser=User, Test cat=Test Category sourceServiceName=Endpoint Printing analyzedBy=Policy Engine testengine loginName=tuser sourceIp=N/A severityType=LOW sourceHost=testhost productVersion=8.0 maxMatches=0 timeStamp=2021-09-04 15:58:50.624 destinationHosts=N/A eventId=4762037341417287787

CEF:0|Forcepoint|Forcepoint DLP|8.8.0|55564097|DLP Syslog|2| act=Permitted duser=destuser@gmail.com fname=testfile.PDF.TXT - 11.01 KB msg=EndPoint Operation suser=User, Test cat=Test Category sourceServiceName=Endpoint Printing analyzedBy=Policy Engine testengine loginName=N/A sourceIp=N/A severityType=LOW sourceHost=testhost productVersion=8.0 maxMatches=0 timeStamp=2021-09-03 15:58:50.624 destinationHosts=N/A eventId=4762037341417287786

 

I am trying to use rex to extract a field called loginName, in which the regex will capture all entries after the "loginName=" text.

I have tried ...| rex field=_raw "(loginName=)(?<loginName>[^\=]+)(?=\s)", but it does not capture all events.

Please assist.

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

isoutamo
SplunkTrust
SplunkTrust
‎09-13-2021 01:23 AM

Hi

you  can play with this by https://regex101.com/r/10Rhs4/1

Rich's regex handle also spaces on name which didn't happen if you are using whitespace as end character.

r. Ismo

View solution in original post

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎09-10-2021 05:14 PM

Your regex and this simplified version of it

loginName=(?<loginName>[^=]+)\s

works fine with the sample events.  Please share an event where the regex fails.  Or show the expected results and your actual results.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎09-11-2021 09:17 AM

I wouldn't capture [^=]. Maybe in this particular case you don't have users with "=" in the middle of their login but in general, I'd try to come up with a more generalized solution (like capturing up to a first whitespace?).

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎09-11-2021 09:49 AM

The regex says to capture everything until the first equals sign so, of course, equals signs are not captured.  Your sample events don't have equals signs in the loginName field so the existing regex should be fine.  If you have examples of loginName values with "=" in them then please share.  To capture up to the first whitespace, use \S+.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution
Solution

isoutamo
SplunkTrust
SplunkTrust
‎09-13-2021 01:23 AM

Hi

you  can play with this by https://regex101.com/r/10Rhs4/1

Rich's regex handle also spaces on name which didn't happen if you are using whitespace as end character.

r. Ismo

0 Karma
Reply
Solved! Jump to solution

osasfrancis
Path Finder
‎09-13-2021 07:43 AM

Hi,

This solved my problem. Thanks

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎09-13-2021 02:24 AM

I don't recall, to be completely honest, what the CEF specification says - where can there be spaces or equal signs. It'd be most reasonable to check with the specs and adjust the regex accordingly. As we can see from the example surely the values can have unescaped spaces. I'm not sure about equal signs in values and spaces in key names. And I'm not 100% sure whether this is a proper CEF 😉

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...