Splunk Search

How do I edit the regex in my search to extract a part of a string?

kumina
New Member

I have a log:

 BL: | LL: INFO | TS: 1234 | AR: RxC_16.00.37.01 | STORE:  :BROADCAST |
 USER: BROADCAST | HOST: BROADCAST | APPSERVER: rri | MSGID: CINTERFACE
 |SC: [Profile] | MSG: ISP Broadcast Received for

I want to get MSGID-SC (CINTERFACE-Profile) from the string above.

For this i am trying to use rex command:

index=rx_connect "USER: BROADCAST" |rex field=_raw
"MSGID:\s(?<MSGID>[^\|]*)\s\|\SC:\s\[(?<SC>[^\]]*)\]" | eval
someNewField=MSGID."-".SC`

But it is not working. Please suggest further.

0 Karma

chimell
Motivator

Hi kumina

If msgid and sc are not constant , use the max_match option and mvindex command to solve your problem

Try this search code

 index=rx_connect "USER: BROADCAST"|rex field=_raw  max_match=0 "\|\s\w+\:\s(?P<msgid1>[^\|]+)\s"|eval msgid=mvindex(msgid1,7)
|rex field=_raw "\[(?P<sc>[^\|]+)\]"|rex field=_raw "\|\s(?P<field1>[\w]+)\:\sCINTERFACE"|rex field=_raw "\|(?P<field2>[\w]+)\:\s\[Profile]"|eval someNewField = field1."-".field2."  (".msgid."-".sc.")" 
|table msgid sc field1 field2 someNewField

see result
alt text

0 Karma

chimell
Motivator

Hi kumina

Try this search code it works well

 index=rx_connect "USER: BROADCAST" |rex field=_raw "MSGID:\s(?P<msgid>[^\|]+)\s"|rex field=_raw "SC:\s\[(?P<sc>[^\|]+)\]"|rex field=_raw "\|\s(?P<field1>[\w]+)\:\sCINTERFACE"|rex field=_raw "\|(?P<field2>[\w]+)\:\s\[Profile]"|eval someNewField = field1."-".field2."  (".msgid."-".sc.")" |table msgid sc field1 field2 someNewField

Look at the following screen capture

alt text

0 Karma

chimell
Motivator

Thanks too .
Test the second result and think to vote and accept

0 Karma

kumina
New Member

Thanks Chimell....
Now it works

0 Karma

kumina
New Member

Hi,

If value of msgid and sc in above logs is not constant and we want to extract that part then what will be the string

0 Karma

alacercogitatus
SplunkTrust
SplunkTrust

Your regex has a Typo. Try this:

index=rx_connect "USER: BROADCAST" |rex field=_raw "MSGID:\s(?<msgid>[^\|]+)\s\|SC:\s\[(?<sc>[^\]]*)\]" | eval someNewField = msgid."-".sc

kumina
New Member

Hi,

I am still getting whole logs instead of

MSGID-SC

example:(CINTERFACE-Profile)

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...