Solved: Help with field extraction

mcollins42 · ‎01-30-2018

I'm failing miserably at this. I'm hoping someone can help me out so I can build my knowledge for future extractions

I'm getting the following record from an application, via syslog and need to perform field extractions:

Jan 30 08:50:14 8.8.8.8 Smith, Jim (Jim.Smith@Domain.com)|Run PowerShell script 'Add Record to DB' for 'Smith, Jim (Domain.local\Users )'|Success

Where:

Jan 30 08:50:14 (DateTime)
8.8.8.8 (src_ip)
Smith, Jim (src_user)
Jim.Smith@Domain.com (src_userupn)
Run PowerShell script 'Add Record to DB' for 'Smith, Jim (Canada.CompassGroup.Corp\Users - Compass)' (message)
Success (Result)

Result is optional and may not be in each record, depending on what the message is.

Any regex gurus out there that can help me out?

mayurr98 · ‎01-30-2018

Hey @mcollins42

Try this run anywhere search

| makeresults | eval _raw="Jan 30 08:50:14 8.8.8.8 Smith, Jim (Jim.Smith@Domain.com)|Run PowerShell script 'Add Record to DB' for 'Smith, Jim (Domain.local\Users )'|Success" | rex field=_raw "(?<DateTime>\w{3}\s\d{2}\s\d{2}:\d{2}:\d{2})\s(?<src_ip>\d+\.\d+\.\d+\.\d+)\s(?<src_user>[^\(]+)\s\((?<src_userupn>[^\)]+)\)\|(?<message>[^\)]*\)')\|(?<Result>.*)"

let me know if this helps!

View solution in original post

mayurr98 · ‎01-30-2018

Hey @mcollins42

Try this run anywhere search

| makeresults | eval _raw="Jan 30 08:50:14 8.8.8.8 Smith, Jim (Jim.Smith@Domain.com)|Run PowerShell script 'Add Record to DB' for 'Smith, Jim (Domain.local\Users )'|Success" | rex field=_raw "(?<DateTime>\w{3}\s\d{2}\s\d{2}:\d{2}:\d{2})\s(?<src_ip>\d+\.\d+\.\d+\.\d+)\s(?<src_user>[^\(]+)\s\((?<src_userupn>[^\)]+)\)\|(?<message>[^\)]*\)')\|(?<Result>.*)"

let me know if this helps!

mayurr98 · ‎01-30-2018

As you said result is optional, so your some events are ending with pipe? If yes then above and @harsmarvania57 will work for both kind of events. But if it is not ending with pipe then I suggest you to extract result seperately.

you can try

| rex field=_raw  "(?<DateTime>\w{3}\s\d{2}\s\d{2}:\d{2}:\d{2})\s(?<src_ip>\d+\.\d+\.\d+\.\d+)\s(?<src_user>[^\(]+)\s\((?<src_userupn>[^\)]+)\)\|(?<message>[^\)]*\)')"

And for result

| rex field=_raw ".*\|(?<Result>.*)"

let me know if this helps!

mcollins42 · ‎01-31-2018

Great example! Separating "Result" into another extraction was a great idea.

harsmarvania57 · ‎01-31-2018

No need to write 2 rex you can achieve same in single rex only, you will not get any output in Result field but field will be created with no data.

<yourBasesearch> 
| rex "(?<DateTime>.*)\s(?<src_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\s(?<src_user>[^\(]*)\s\((?<userupn>[^\)]*)\)\|(?<message>[^\|]*)\|?(?<Result>.*)?"

harsmarvania57 · ‎01-30-2018

Hi @mcollins42,

Can you please try this ?

<yourBasesearch> | rex "(?<DateTime>.*)\s(?<src_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\s(?<src_user>[^\(]*)\s\((?<userupn>[^\)]*)\)\|(?<message>[^\|]*)\|(?<Result>.*)"

sbbadri · ‎01-30-2018

@mcollins42

please try below

Help with field extraction

Accelerating Observability as Code with the Splunk AI Assistant

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

Congratulations to the 2025-2026 SplunkTrust!

Join the Conversation

Help with field extraction

Accelerating Observability as Code with the Splunk AI Assistant

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

Congratulations to the 2025-2026 SplunkTrust!