Splunk Search

How to create a field with varying lengths of field values?

gilbxrtx_7
New Member

I want to create a field which extract values, however I have some field values that I want to extract which contain more than one word.
For instance:
alt text (image file: field-error.png)

I want the 'auth' and 'SECURE AUDIT' values to be considered as part of the same field that I am going to create. However I got the field extraction error message: "The extraction failed. If you are extracting multiple fields, try removing one or more fields. Start with extractions that are embedded within longer text strings."

Basically I want to extract the text between the yellow boxed text and the value '0' to be added as a field.
How can I add the field such that I don't get the error?

Splunk only highlighted the first word 'SECURE' instead of 'SECURE AUDIT', which is not what I want.

Output with the following regex suggested:

(?:[^\s]+\s){2}(?P[^\s]+(?:\s\w+)?)\s\d+\s+<

alt text (image file: error-3.png)

I tried to modify the regex by removing the 'w', and it highlighted only the 'auth' texts and 'AUDIT' without the 'SECURE'

To display the result output I have removed my second image as Splunk only allows two image files uploaded.

Regular expression generated by Splunk:
^(?:[^ \n]* ){3}(?P\w+\s+\w+)

I realized the regex suggested by one user extracted wrongly as he/she did not include < 37 > 1 at the front of the lines as indicated in my text line. The wording got misaligned and hence the wrong extraction.
https://regex101.com/r/biHi9a/4
The link above is the correct sample text that I want to work with. Would appreciate any help to modify it to achieve my desired results.

Tags (1)
0 Karma

woodcock
Esteemed Legend

Go to http://regex101.com and build it yourself. You should not be using Splunk's regex builder.

0 Karma

cafissimo
Communicator

Here it is a working complete example with the extraction of "field1"

| makeresults count=2
| streamstats count
| eval _raw=case(count==1,"<37> 1 2018-04-23T08:08:08Z E876876876 SECURE AUDIT 0 <secure audit error> [cdkncdckne dckmdkcmd]",count==2,"<37> 1 2018-04-23T08:08:08Z E876876876 auth 0 <login> [kdnckn rrgrr]
<37> 1 2018-04-23T08:08:08Z E876876876 auth 0 <login> [kdnckn rrgrr]")
| rex field=_raw "<\d+>\s+\d+\s+(?:[^\s]+\s){2}(?P<field1>[^\s]+(?:\s+\w+)*)\s\d+\s+<"

alt text

0 Karma

kthammireddygar
Path Finder

Try this to create a field with all texts within the square brackets.

| rex "\s*\[(?P<Fieldname>.*?)\]\s*"
0 Karma

gilbxrtx_7
New Member

this is not what I'm asking for in this question
@kthammireddygari

0 Karma

cafissimo
Communicator

Try this regex:

(?:[^\s]+\s){2}(?P[^\s]+(?:\s\w+)?)\s\d+\s+<

Test it here:
https://regex101.com/r/biHi9a/1

Best regards

0 Karma

gilbxrtx_7
New Member

Hi, your answer seems correct in the regex test link. However when I copied and paste the exact regex into splunk, it somehow highlighted the text wrongly.

It highlighted the text before the auth as part of the field extraction as well.

I have edited my question to display the output when I added the regex you suggested into splunk.
@cafissimo

https://regex101.com/r/biHi9a/4
I realized that your regex sampled worked because you did not include < 37 > 1 at the front of each line. After I added < 37 > 1 the alignment shifted and the text were not highlighted correctly anymore
I have attached the updated link with the correct sample text

0 Karma

p_gurav
Champion

Can you try:

| rex field=_raw "(?P<field1>[^\s]+)\s\d+\<"
0 Karma

gilbxrtx_7
New Member

I realized what you meant, but I do not want to extract fields while searching, I want to create a fixed field.

0 Karma

ssadanala1
Contributor

Try this regex

rex field = _raw "\s+\w+\s+(?P.*)\s+\d+"

0 Karma

gilbxrtx_7
New Member

I realized what you meant, but I do not want to extract fields while searching, I want to create a fixed field.

0 Karma

FrankVl
Ultra Champion

Can you share the regular expression that Splunk generates for you? Then we can help adjust it to achieve your desired result.

0 Karma

gilbxrtx_7
New Member

This is the regular expression generated by Splunk which extracted wrongly.
^(?:[^ \n]* ){3}(?P\w+\s+\w+)

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...