Splunk Search
Highlighted

Help with field extraction

New Member

I'm failing miserably at this. I'm hoping someone can help me out so I can build my knowledge for future extractions

I'm getting the following record from an application, via syslog and need to perform field extractions:

Jan 30 08:50:14 8.8.8.8 Smith, Jim (Jim.Smith@Domain.com)|Run PowerShell script 'Add Record to DB' for 'Smith, Jim (Domain.local\Users )'|Success

Where:

Jan 30 08:50:14 (DateTime)
8.8.8.8 (src_ip)
Smith, Jim (src_user)
Jim.Smith@Domain.com (src_userupn)
Run PowerShell script 'Add Record to DB' for 'Smith, Jim (Canada.CompassGroup.Corp\Users - Compass)' (message)
Success (Result)

Result is optional and may not be in each record, depending on what the message is.

Any regex gurus out there that can help me out?

0 Karma
Highlighted

Re: Help with field extraction

Motivator

@mcollins42

please try below

your base search | rex field=raw "(?P<DateTime>\S+\s+\d+\s+\d+:\d+:\d+)\s+(?P<srcip>\d+.\d+.\d+.\d+)\s+(?P<srcuser>[^(]+)((?P<srcuserupn>\S+))|(?P<message>[^|]+)(?P<Result>(|\S+|))"

0 Karma
Highlighted

Re: Help with field extraction

SplunkTrust
SplunkTrust

Hi @mcollins42,

Can you please try this ?

<yourBasesearch> | rex "(?<DateTime>.*)\s(?<src_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\s(?<src_user>[^\(]*)\s\((?<userupn>[^\)]*)\)\|(?<message>[^\|]*)\|(?<Result>.*)"
0 Karma
Highlighted

Re: Help with field extraction

SplunkTrust
SplunkTrust

Hey @mcollins42

Try this run anywhere search

| makeresults | eval _raw="Jan 30 08:50:14 8.8.8.8 Smith, Jim (Jim.Smith@Domain.com)|Run PowerShell script 'Add Record to DB' for 'Smith, Jim (Domain.local\Users )'|Success" | rex field=_raw "(?<DateTime>\w{3}\s\d{2}\s\d{2}:\d{2}:\d{2})\s(?<src_ip>\d+\.\d+\.\d+\.\d+)\s(?<src_user>[^\(]+)\s\((?<src_userupn>[^\)]+)\)\|(?<message>[^\)]*\)')\|(?<Result>.*)"

let me know if this helps!

View solution in original post

0 Karma
Highlighted

Re: Help with field extraction

SplunkTrust
SplunkTrust

As you said result is optional, so your some events are ending with pipe? If yes then above and @harsmarvania57 will work for both kind of events. But if it is not ending with pipe then I suggest you to extract result seperately.

you can try

| rex field=_raw  "(?<DateTime>\w{3}\s\d{2}\s\d{2}:\d{2}:\d{2})\s(?<src_ip>\d+\.\d+\.\d+\.\d+)\s(?<src_user>[^\(]+)\s\((?<src_userupn>[^\)]+)\)\|(?<message>[^\)]*\)')"

And for result

| rex field=_raw ".*\|(?<Result>.*)"

let me know if this helps!

0 Karma
Highlighted

Re: Help with field extraction

New Member

Great example! Separating "Result" into another extraction was a great idea.

0 Karma
Highlighted

Re: Help with field extraction

SplunkTrust
SplunkTrust

No need to write 2 rex you can achieve same in single rex only, you will not get any output in Result field but field will be created with no data.

<yourBasesearch> 
| rex "(?<DateTime>.*)\s(?<src_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\s(?<src_user>[^\(]*)\s\((?<userupn>[^\)]*)\)\|(?<message>[^\|]*)\|?(?<Result>.*)?"
0 Karma