Splunk Search

Extracting a string of numbers from log file and tabulate the data

wyvivianho
New Member

I am trying to extract a string of numbers (6-8 digits) within a string. each of the string extracted/detected will be a category of event ID. And I will need to tabulate the stat of these event IDs. What is a good way of doing it?

0 Karma
1 Solution

mayurr98
Super Champion

try this:

index=<your_index> |rex  "(\d|\w)\d{3}_\d{3}01(?<EventId>\d{4})"

also, try this run anywhere search:

| makeresults 
| eval data="054100172.23.47.142 20191025183818S617_0310120060387212200090541SEG_EAltaSesOpe 0000000000000000000000000000JR388400000000000 C200-025C96D22DA|1010000000D9,999900 20191025183334S617_0310130020571272600120541ConsultaLDAP 0000000000000000000000000000JB146000000000001 149029 3C0CFF0F|0000000000D9" 
| makemv data delim="," 
| mvexpand data 
| rex field=data "(\d|\w)\d{3}_\d{3}01(?<EventId>\d{4})"

View solution in original post

0 Karma

mayurr98
Super Champion

try this:

index=<your_index> |rex  "(\d|\w)\d{3}_\d{3}01(?<EventId>\d{4})"

also, try this run anywhere search:

| makeresults 
| eval data="054100172.23.47.142 20191025183818S617_0310120060387212200090541SEG_EAltaSesOpe 0000000000000000000000000000JR388400000000000 C200-025C96D22DA|1010000000D9,999900 20191025183334S617_0310130020571272600120541ConsultaLDAP 0000000000000000000000000000JB146000000000001 149029 3C0CFF0F|0000000000D9" 
| makemv data delim="," 
| mvexpand data 
| rex field=data "(\d|\w)\d{3}_\d{3}01(?<EventId>\d{4})"
0 Karma

woodcock
Esteemed Legend

Like this:

... | rex field=eventID "(?<myNumber>\d+)"
0 Karma

somesoni2
Revered Legend

The best method will depend upon the exact use case of yours. Please share some sample values, highlight what part you want to extract and what aggregation/reporting you want out of it. Sample expected output will help too.

0 Karma

vivianhowy18
New Member

for example, for the first event,
054100172.23.47.142 20191025183818S617_0310120060387212200090541SEG_EAltaSesOpe 0000000000000000000000000000JR388400000000000 C200-025C96D22DA|1010000000D9, the event ID is the 43th -46th digits (4 digits) "2006" after xxxxx_xxx01

or for the second example,
999900 20191025183334S617_0310130020571272600120541ConsultaLDAP 0000000000000000000000000000JB146000000000001 149029 3C0CFF0F|0000000000D9
the event ID is "3002" which is the 4 digits after xxxx_xxx01.

the event ID begins with 01.

0 Karma

mayurr98
Super Champion

best of extracting is regex. Please give us sample input.

0 Karma

wyvivianho
New Member

here is the sample input:

054100172.23.47.142 20191025183818S617_0310120060387212200090541SEG_EAltaSesOpe 0000000000000000000000000000JR388400000000000 C200-025C96D22DA|1010000000D9

or

999900 20191025183334S617_0310130020571272600120541ConsultaLDAP 0000000000000000000000000000JB146000000000001 149029 3C0CFF0F|0000000000D9

trying to extract the eventID that is after _031*01XXXX*

0 Karma

mayurr98
Super Champion

okay, can you tell me whats the eventID? what to extract from both the events?

0 Karma

vivianhowy18
New Member

for example, for the first event,
054100172.23.47.142 20191025183818S617_0310120060387212200090541SEG_EAltaSesOpe 0000000000000000000000000000JR388400000000000 C200-025C96D22DA|1010000000D9, the event ID is the 43th -46th digits (4 digits) "2006" after xxxxx_xxx01

or for the second example,
999900 20191025183334S617_0310130020571272600120541ConsultaLDAP 0000000000000000000000000000JB146000000000001 149029 3C0CFF0F|0000000000D9
the event ID is "3002" which is the 4 digits after xxxx_xxx01.

the event ID begins with 01.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...