Solved: Re: How do I extract this field from my sample dat...

packet_hunter · ‎06-02-2016

Scenario: I need to extract the User out of the following field msg using rex. So, I need abcdefg

Group <XGroupPolicy> User <abcdefg> IP <192.168.0.1> SVC Message: 16/NOTICE: The user has requested to disconnect the connection..

Search:

index = main | rex field=msg [???]

Thank you!

somesoni2 · ‎06-02-2016

Try this then

 index = main | rex field=msg "User\s+\<(?<User>[^\>]+)\>"

View solution in original post

supabuck · ‎06-02-2016

Hi Packet Hunter,

This probably is not the cleanest but here is how I would pull all the fields from that simultaneously.

index=blah sourcetype=blah 
| rex "Group\s<(?P<Group>\w+)>\sUser\s<(?P<User>\w+)>\sIP\s<(?P<IP_Address>\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3})>\sSVC\sMessage:\s(?P<Message_Num>\d+)\/\w+:\s(?P<Message>(.*))" 
| table Group User IP_Address Message_Num Message

packet_hunter · ‎06-02-2016

Error in 'rex' command: Encountered the following error while compiling the regex '^(?P\w+)\s(?P\w+)\sIP\s<(?P\d{1': Regex: missing )

packet_hunter · ‎06-02-2016

Thank you for your attempt I will study it for educational purposes

supabuck · ‎06-03-2016

Sorry, I am pretty new to regex built within searches. What I usually do is copy a sample message and paste it into the TEST STRING at regex101.com.

After doing that you can work on building your regex and it will highlight the groups in real time!

For searches to rex out result fields I usually will do something like:

index=myIndex sourcetype=jws | rex "^\d+\s+\w+\s\d+\s\d+:\d+:\d+,\d+\s(?P<value1>\w+)\s\[]\[]\[]\s\[(?P<value2>\w+)\]\s(?P<value3>(.*))\s\[]\[(.*)\n(?P<value3>(.*))" | table _time host  value1 value2 value3 value4

Then if you want to do another search on the results for that you can add this onto the search

| search value1="somevalue"

and it will narrow down the results to only include it where value1="somevalue" in the resulting table.

packet_hunter · ‎06-03-2016

thank you for the response

somesoni2 · ‎06-02-2016

Try this then

 index = main | rex field=msg "User\s+\<(?<User>[^\>]+)\>"

packet_hunter · ‎06-02-2016

Thank you that works

richgalloway · ‎06-02-2016

Assuming the text you want is the second "word" of msg, then this should do it.

... | rex field=msg "\s(?<user>[^\s]*)\s" | ...

You may want to get to know regex101.com. It's a great way to experiment with regular expressions until you find what works.

---
If this reply helps you, Karma would be appreciated.

richgalloway · ‎06-02-2016

Based on your comment, this answer is similar to the one for your previous question.

... | rex field=msg "User (?<user>[^ ]*)" | ...

---
If this reply helps you, Karma would be appreciated.

packet_hunter · ‎06-02-2016

Your code works partially - probably because my first paste did not render correctly and your code worked on that.

I appreciate your help and the refer to the link. Yes REX is a hurdle for me.

This question is similar to the other you answered, however the msg field values are different which is why I asked for more help with a different rex.

Thank you!!

somesoni2 · ‎06-02-2016

I don't see the value 'abcdefg' in the your sample data. Could you confirm which string from your sample data you need extracted?

packet_hunter · ‎06-02-2016

when I was pasting, the msg field it was not rendering, does it make sense now?
abcdefg is a redacted username

How do I extract this field from my sample data using rex?

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!

Logs to Metrics

Developer Spotlight with Paul Stout