Splunk Search

How do I extract this field from my sample data using rex?

packet_hunter
Contributor

Scenario: I need to extract the User out of the following field msg using rex. So, I need abcdefg

Group <XGroupPolicy> User <abcdefg> IP <192.168.0.1> SVC Message: 16/NOTICE: The user has requested to disconnect the connection.. 

Search:

index = main | rex field=msg [???]  

Thank you!

0 Karma
1 Solution

somesoni2
Revered Legend

Try this then

 index = main | rex field=msg "User\s+\<(?<User>[^\>]+)\>" 

View solution in original post

supabuck
Path Finder

Hi Packet Hunter,

This probably is not the cleanest but here is how I would pull all the fields from that simultaneously.

index=blah sourcetype=blah 
| rex "Group\s<(?P<Group>\w+)>\sUser\s<(?P<User>\w+)>\sIP\s<(?P<IP_Address>\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3})>\sSVC\sMessage:\s(?P<Message_Num>\d+)\/\w+:\s(?P<Message>(.*))" 
| table Group User IP_Address Message_Num Message

packet_hunter
Contributor

Error in 'rex' command: Encountered the following error while compiling the regex '^(?P\w+)\s(?P\w+)\sIP\s<(?P\d{1': Regex: missing )

0 Karma

packet_hunter
Contributor

Thank you for your attempt I will study it for educational purposes

0 Karma

supabuck
Path Finder

Sorry, I am pretty new to regex built within searches. What I usually do is copy a sample message and paste it into the TEST STRING at regex101.com.

After doing that you can work on building your regex and it will highlight the groups in real time!

For searches to rex out result fields I usually will do something like:

index=myIndex sourcetype=jws | rex "^\d+\s+\w+\s\d+\s\d+:\d+:\d+,\d+\s(?P<value1>\w+)\s\[]\[]\[]\s\[(?P<value2>\w+)\]\s(?P<value3>(.*))\s\[]\[(.*)\n(?P<value3>(.*))" | table _time host  value1 value2 value3 value4

Then if you want to do another search on the results for that you can add this onto the search

| search value1="somevalue"

and it will narrow down the results to only include it where value1="somevalue" in the resulting table.

0 Karma

packet_hunter
Contributor

thank you for the response

0 Karma

somesoni2
Revered Legend

Try this then

 index = main | rex field=msg "User\s+\<(?<User>[^\>]+)\>" 

packet_hunter
Contributor

Thank you that works

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Assuming the text you want is the second "word" of msg, then this should do it.

... | rex field=msg "\s(?<user>[^\s]*)\s" | ...

You may want to get to know regex101.com. It's a great way to experiment with regular expressions until you find what works.

---
If this reply helps you, Karma would be appreciated.

richgalloway
SplunkTrust
SplunkTrust

Based on your comment, this answer is similar to the one for your previous question.

... | rex field=msg "User (?<user>[^ ]*)" | ...
---
If this reply helps you, Karma would be appreciated.
0 Karma

packet_hunter
Contributor

Your code works partially - probably because my first paste did not render correctly and your code worked on that.

I appreciate your help and the refer to the link. Yes REX is a hurdle for me.

This question is similar to the other you answered, however the msg field values are different which is why I asked for more help with a different rex.

Thank you!!

0 Karma

somesoni2
Revered Legend

I don't see the value 'abcdefg' in the your sample data. Could you confirm which string from your sample data you need extracted?

0 Karma

packet_hunter
Contributor

when I was pasting, the msg field it was not rendering, does it make sense now?
abcdefg is a redacted username

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...