Hi everyone. I am a new user to Splunk.
Recently, I have met some trouble with trying to extract a certain message out from a field I want. I have a field called Message, which logs the message sent to a web server. However, I only want to retrieve a specific field when the message contains the desired field that I want.
Example: I want to retrieve the user's name when service is invoked.
Time | Message |
2021-05-15T01:51:52.321Z | Session ID 1234 has been created |
2021-05-15T01:51:52.321Z | Invoked by user David from IP 127.256.25.16 |
2021-05-15T01:51:52.321Z | Configuration Reading - Start |
Hence, I only want to extract the name David, when that specific message log containing the name appears. Does anyone have any clue how I can extract that field specifically when it appears?
Thanks in advance.
EDITED:
Hey Splunk Users,
If you met the same problem as I did, where the message logs change constantly, do make sure to search for the message you are looking for first, before drilling down for the specific field.
In my case:
| search Message="Invoked by user *"
| rex field=Message "Invoked by user (?<user>\w+)"
If the user is just a single word
| rex field=Message "Invoked by user (?<user>\w+)"
Depending on your actual events, this might work
| rex "Invoked by user (?<user>.+)"
Well the full message is usually like this:
Message |
Invoked by user David from IP 10.143.235.76 |
I did try to extract the name and the IP Address at the same time, but it still does not extract it as intended.
If the user is just a single word
| rex field=Message "Invoked by user (?<user>\w+)"
Hi there, sorry for getting back to you a bit late.
I actually had to add another line in my query, which is
| search Message="Invoked by user *"
| rex field=Message "Invoked by user (?<user>\w+)"
This will first return the message I'm looking for, and the user in the message. Thanks a lot for the assistance.