Solved: Field Extraction

scout29 · ‎11-22-2024

Need help to extract a field that comes after a certain word in a event.

I am looking to extract a field called "sn_grp" with the value of "M2 Infra Ops". So for every event that has sn_grp: i would like to extract the string that follows of "M2 Infra Ops". This string value will be the same name for every event.

Below is an example data set i am using to write the regex to

\"sn_grp:M2 Infra Ops\"},{\"context\":\"CONTEXTLESS\",\"key\":\"Correspondence Routing Engine\

richgalloway · ‎11-22-2024

This should get you started.

| rex "sn_grp:(?<sn_grp>[^\\]+)"

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎11-22-2024

This should get you started.

| rex "sn_grp:(?<sn_grp>[^\\]+)"

---
If this reply helps you, Karma would be appreciated.

scout29 · ‎11-22-2024

That seems to work however it is capturing the "\" in the string at the end. I want the value to stop after Ops in the string and not include the "\"

richgalloway · ‎11-22-2024

Try my revised answer.

---
If this reply helps you, Karma would be appreciated.

Field Extraction

field extraction

regex

rex

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?