Re: How to attract a specific word from string usi...

thinhdinh · ‎06-24-2020

Hello Splunk Experts!

I have a string like below

rex " - - (?<text>foo|bar) " | .....

I want to take the text when a word match foo or bar. The string include whitespace as above. Thank in advance!

gcusello · ‎06-24-2020

did you tried?

| rex "(?<text>foo|bar)"

if you want only isolated foo/bar word, try this:

| rex "(?<text>foo|bar)"

| rex "\s+(?<text>foo|bar)\s+"

If you share some example I could verify my regex.

If you want you could also use regex101.com to test this regex with your samples.

Ciao.

Giuseppe

thinhdinh · ‎06-24-2020

Hi @gcusello ,

Thank you for your answer. Basically I have a event like this:

Mon Mar 19 20:16:27 2018 Info: Bounced: DCID 8413617 MID 19338947 - - "Hello world"  From: <MariaDubois@example.com> To: <zecora@buttercupgames.com> RID 0 - 5.4.7 - Delivery expired (message too old) ('000', ['timeout'])

How can I get the "Hello world" from above event using rex command?

gcusello · ‎06-24-2020

Hi @thinhdinh ,

you can use a regex like this:

| rex "(?<text>Hello world)"

that you can test at https://regex101.com/r/YXExE4/1

if instead you want to teke the text between quotes in that position (non only Hello world), you could try:

| rex "\"(?<text>[^\"]+)\""

that you can test at https://regex101.com/r/YXExE4/2

Ciao.

Giuseppe

thinhdinh · ‎06-24-2020

Okie, I was missing field=_raw. Now I got it worked, thank you.

gcusello · ‎06-24-2020

field=_raw isn't mandatory!

How to attract a specific word from string using rex?

eval

regex

rex

See just what you’ve been missing | Observability tracks at Splunk University

Weezer at .conf25? Say it ain’t so!

How SC4S Makes Suricata Logs Ingestion Simple

Are you a member of the Splunk Community?