Splunk Search
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Help with Field Extraction

secphilomath1
Explorer
‎01-26-2024 11:45 AM

Here is my sample data;

 

start=Dec 30 2023 06:07:47 duser=NT AUTHORITY\SYSTEM dvc=10.163.142.37

I need to extract the full duser information.  Splunk only grabs NT and not the remaining of the string

I have the following  Regex via regex101 that works....I am grabbing whatever is between 'duser=' and ' dvc'

(?<=duser=)(.*?)(?= dvc)

I just don't quite understand how the field extraction part is supposed to work... 

I have tried...

| rex field=_raw "'(?<User>(?<=duser=)(.*?)(?= dvc))'" 

and

| rex field=_raw "duser=\s+(?<User>[^\\]*)"

No errors, just not getting any data in a User field.

 

Thanks in advance.

 

 

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎01-29-2024 10:17 AM 
| rex "duser=(?<duser>.*?) dvc=(?<dvc>\S+).*dhost=(?<dhost>\S+)"

View solution in original post

0 Karma
Reply
Solved! Jump to solution

secphilomath1
Explorer
‎01-26-2024 01:26 PM

When I put in my search like this

| rex field=_raw "duser=(?<User>.*?) dvc"

I get a new field called UserNameLabel with the value of User

 

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎01-26-2024 11:53 AM

Set your anchors either side of the field extraction

| rex "duser=(?<User>.*?) dvc"
0 Karma
Reply
Solved! Jump to solution

secphilomath1
Explorer
‎01-26-2024 03:03 PM

When I put in my search like this

| rex field=_raw "duser=(?<User>.*?) dvc"

I get a new field called UserNameLabel with the value of 'User' not the user field data

 

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎01-27-2024 01:55 AM

Please share some anonymised sample data. the search you are using, your current results and your expected results

0 Karma
Reply
Solved! Jump to solution

secphilomath1
Explorer
‎01-29-2024 09:19 AM

duser=NT AUTHORITY\SYSTEM dvc=10.10.10.10 rt=Jan 29 2024 04:41:24 dhost=abcd.efgh.com SHA-1=Not available MD5=Not available Size=Not available content=0x00000001 (1) contentLabel=Current Version Content timezone=Pacific Standard Time

I want to be able to pull out the duser, dvc, dhost etc.  Focusing on the duser ATM because it is giving me the most grief because of the space in the value.  If I can get one to work, I can get the rest working.

 

The search so far is simple;

index="abc" 

| rex field=_raw "duser=(?P<User>.*?) dvc"

| table User

 

 

 

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎01-29-2024 10:17 AM 
| rex "duser=(?<duser>.*?) dvc=(?<dvc>\S+).*dhost=(?<dhost>\S+)"
0 Karma
Reply
Solved! Jump to solution

secphilomath1
Explorer
‎01-29-2024 10:58 AM

Oh wait these have to be in order, what if I wanted to grab a field that is 10 fields before this.  

Expanded Sample Data;

dvchost=asdf.ghi.com NodeType=Windows Server NodeTypeLabel=Node Type Rule=Critical System Settings RuleLabel=Rule RuleType=Windows Registry Rule RuleTypeLabel=Rule Type fname=HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer|NoWebServices ChangeType=Added ChangeTypeLabel=Change Type SeverityName=High SeverityNameLabel=Tripwire Severity Name VersionOID=-1y2p0ij32e8cf:-1y2p0iizs0ilf VersionOIDLabel=Version OID SeverityNumber=10000 SeverityNumberLabel=Tripwire Severity Number sproc=C:\Windows\System32\svchost.exe licurl=https://abcd.ghi.com/console/lic.search.cmd?lic=true&managerId=nodeManager&pageId=nodeManager.elemen...NoWebServices%22%2C%22selectedSearchType%22%3A%22element%22%2C%22search.element.ruleGroup.selectedObject%22%3A%22-1y2p0ij32e7p1%3A-1y2p0ij32bgh0%22%2C%22criteria.searchExecuted%22%3Atrue%7D start=Jan 07 2024 06:07:45 duser=NT AUTHORITY\SYSTEM dvc=10.10.10.10 rt=Jan 29 2024 04:41:24 dhost=abcd.ghi.com SHA-1=Not available MD5=Not available Size=Not available content=0x00000001 (1) contentLabel=Current Version Content timezone=Pacific Standard Time timezoneLabel=Time Zone elementOID=-1y2p0ij32e8ca:-1y2p0ij02lo5f elementOIDLabel=Element OID blVersion=false blVersionLabel=Is baseline version hardCodedIP=10.10.10.10


Say I wanted the fields NodeType, RuleType, fname, duser, sproc?

 

Thanks

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎01-29-2024 02:59 PM

As I said in my original reply, you just have to set up the anchors correctly. regex101.com is a great site for testing regex.

0 Karma
Reply
Solved! Jump to solution

secphilomath1
Explorer
‎01-29-2024 10:20 AM

Wow, thanks so much!  That solves all my problems!

0 Karma
Reply
Get Updates on the Splunk Community!

Learn Splunk Insider Insights, Do More With Gen AI, & Find 20+ New Use Cases You Can ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Buttercup Games: Further Dashboarding Techniques (Part 7)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Stay Connected: Your Guide to April Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...
Top