Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Extracting specific parts from _raw logs

DanAlexander
Communicator
‎05-10-2023 09:39 AM

Hi All,

Can anyone help me create a regex to extract the bolded parts from the following _raw log, please?

meta sequenceId="182311942"]10000 - [action:"Accept"; ........; origin:"10.111.10.111"; originsicname:"CN=................610;policy_name=High_Trust-1\]"; dst:"192.168.11.01"; log_delay:"1683724684"; layer_name:"Some text"; layer_name:"High_Trust-1 Application"; layer_uuid:"426c8a................."StoneBeat-Control"; src:"192.168.81.62"]

Thank you in advance!

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

isoutamo
SplunkTrust
SplunkTrust
‎07-26-2023 10:04 PM

Hi

if above is true you could try this for all previous fields as own rex. When you’re using separate rex, then the order can change and you could add more fields later.

<your base search>
| rex "action:\"(<?action>[^\"]+)"
| <next rex with another field name> …

r. Ismo

View solution in original post

Reply
Solved! Jump to solution

yuanliu
SplunkTrust
SplunkTrust
‎07-26-2023 10:16 PM

It seems that your developers take pains to design a well formatted log.  It would be a waste to use regex for extraction.  Use extract instead.

| extract pairdelim=";" kvdelim=":"

Hope this helps 

Reply
Solved! Jump to solution

DanAlexander
Communicator
‎07-27-2023 01:17 AM

Thanks for the update @yuanliu 

Would you please elaborate on the regex waste? 

Not so sure what you have in mind based on your experience.

 

0 Karma
Reply
Solved! Jump to solution

yuanliu
SplunkTrust
SplunkTrust
‎07-27-2023 09:42 AM

To extract patterns like ":\s*(?<field1>[^;]+)[^:]+(?<field2>[^;]+)" (which is required for that type of data), rex has to scan character by character with an indeterministic presumption.  In comparison, pairdelim=";" kvdelim=":" simply scans for fixed strings ";" and ":", which is computationally less complex. (And less demanding in RAM.)  As @isoutamo said, this does not mean that extract will always be more efficient or any choice will have material impact on performance.  But as a general practice, choose fixed pattern over regex.  The main advantage, of course, is that extract command extracts multiple kv pairs regardless of their order.

Reply
Solved! Jump to solution

isoutamo
SplunkTrust
SplunkTrust
‎07-27-2023 03:00 AM

Just replace those all rex statements with this one. This will extract all those kv pairs.

Which option is more efficient can be check by Job Inspector.

Reply
Solved! Jump to solution

cklunck
Path Finder
‎07-26-2023 09:43 PM

After the extraction is complete, are you hoping to have fields and field values like the following?

action=Accept

origin=10.111.10.111

layer_name="Some text"

 

0 Karma
Reply
Solved! Jump to solution

DanAlexander
Communicator
‎07-27-2023 01:15 AM

Thanks for the reply @cklunck 

Positive, this is what I want to achieve.

 

0 Karma
Reply
Solved! Jump to solution
Solution

isoutamo
SplunkTrust
SplunkTrust
‎07-26-2023 10:04 PM

Hi

if above is true you could try this for all previous fields as own rex. When you’re using separate rex, then the order can change and you could add more fields later.

<your base search>
| rex "action:\"(<?action>[^\"]+)"
| <next rex with another field name> …

r. Ismo

Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...

Data Persistence in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. What happens if the OpenTelemetry collector ...

Thanks for the Memories! Splunk University, .conf25, and our Community

Thank you to everyone in the Splunk Community who joined us for .conf25, which kicked off with our iconic ...