Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Help with Rex Field Extraction

scout29
Path Finder
‎11-08-2023 07:24 PM

I am trying to write a rex command that extracts the field "registrar" from the below four event examples. The below values in bold are what i am looking for to be the value for "registrar".  I am using the following regex to extract the field and values, but i seem to be capturing the \r\n after the bold values as well.  How can i modify my regex to capture just the company name in bold leading up to \r\n Registrar IANA

Current regex being used:   Registrar:\s(?<registrar>.*?) Registrar IANA

 

Expiry Date: 2026-12-09T15:18:58Z\r\n Registrar: ABC Holdings, Inc.\r\n Registrar IANA ID: 972

Expiry Date: 2026-12-09T15:18:58Z\r\n Registrar: Gamer.com, LLC\r\n Registrar IANA ID: 837

Expiry Date: 2026-12-09T15:18:59Z\r\n Registrar: NoCo MFR Ltd.\r\n Registrar IANA ID: 756

Expiry Date: 2026-12-09T15:18:59Z\r\n Registrar: Onetrust Group, INC\r\n Registrar IANA ID: 478

Labels (5)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎11-08-2023 11:08 PM

Hi @scout29 ,

please try this:

| rex "Registrar:\s+(?<Registrar>[^\\]*)"

that you can test at https://regex101.com/r/7PdpcJ/1

If it doesn't run on Splunk use three backslashes in the square parenthesis (sometimes Splunk is strange in regex extractions!).

Ciao.

Giuseppe

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎11-08-2023 11:08 PM

Hi @scout29 ,

please try this:

| rex "Registrar:\s+(?<Registrar>[^\\]*)"

that you can test at https://regex101.com/r/7PdpcJ/1

If it doesn't run on Splunk use three backslashes in the square parenthesis (sometimes Splunk is strange in regex extractions!).

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎11-13-2023 06:18 AM

Hi @scout29 ,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

0 Karma
Reply
Solved! Jump to solution

bowesmana
SplunkTrust
SplunkTrust
‎11-08-2023 07:48 PM

Add in the \r\n to the regex, i.e.

| rex "Registrar:\s(?<registrar>.*?)\\\r\\\n Registrar IANA"

Note 3 slashes

I assume those \r\n are literal characters rather than CR/LF?

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...