Solved: How to create rex to extract field?

Harish2 · ‎01-12-2023

From here i need to extarct the identification=MLAS, MLA, LAS and VAM
My sample logs:
[12/12/21] 12:10:112 GMT] I6789HIOO applicattion authenticationid=100| |35467577889999| |67775-ghhgfrt-6788h-7667788; clientid="7689-jhgg-8765r-kkjggt"; app=" "; QueryLetter="yard=MS&identification=MLAS&timeRange=EVERYDAY&timePeriod=MINUTES

[12/12/21] 12:10:112 GMT] I6789HIOO applicattion authenticationid=100| |35467577889999| |67775-ghhgfrt-6788h-7667788; clientid="7689-jhgg-8765r-kkjggt"; app=" "; QueryLetter="yard=MS&identification=MLA&timeRange=EVERYDAY&timePeriod=MINUTES

[12/12/21] 12:10:112 GMT] I6789HIOO applicattion authenticationid=100| |35467577889999| |67775-ghhgfrt-6788h-7667788; clientid="7689-jhgg-8765r-kkjggt"; app=" "; QueryLetter="yard=MS&identification=LAS&timeRange=EVERYDAY&timePeriod=MINUTES

[12/12/21] 12:10:112 GMT] I6789HIOO applicattion authenticationid=100| |35467577889999| |67775-ghhgfrt-6788h-7667788; clientid="7689-jhgg-8765r-kkjggt"; app=" "; QueryLetter="yard=MS&identification=VAM&timeRange=EVERYDAY&timePeriod=MINUTES

in my selected fileds or intresting fileds indeentification fileds should appear has below:
MLAS
MLA
LAS
VAM

richgalloway · ‎01-12-2023

The rex command works for me.

| rex "identification=(?<identification>\w+)"

---
If this reply helps you, Karma would be appreciated.

View solution in original post

yuanliu · ‎01-13-2023

Are posted logs raw events? Is there some settings in your sourcetype (props.conf) that prevents automatic extraction of the fields you wanted? Because the field names and values are connected by equal sign, Splunk should have already extracted them.

Here is an emulation of your samples:

| makeresults
| fields - _time
| eval data = split("[12/12/21] 12:10:112 GMT] I6789HIOO applicattion authenticationid=100| |35467577889999| |67775-ghhgfrt-6788h-7667788; clientid=\"7689-jhgg-8765r-kkjggt\"; app=\" \"; QueryLetter=\"yard=MS&identification=MLAS&timeRange=EVERYDAY&timePeriod=MINUTES
[12/12/21] 12:10:112 GMT] I6789HIOO applicattion authenticationid=100| |35467577889999| |67775-ghhgfrt-6788h-7667788; clientid=\"7689-jhgg-8765r-kkjggt\"; app=\" \"; QueryLetter=\"yard=MS&identification=MLA&timeRange=EVERYDAY&timePeriod=MINUTES
[12/12/21] 12:10:112 GMT] I6789HIOO applicattion authenticationid=100| |35467577889999| |67775-ghhgfrt-6788h-7667788; clientid=\"7689-jhgg-8765r-kkjggt\"; app=\" \"; QueryLetter=\"yard=MS&identification=LAS&timeRange=EVERYDAY&timePeriod=MINUTES
[12/12/21] 12:10:112 GMT] I6789HIOO applicattion authenticationid=100| |35467577889999| |67775-ghhgfrt-6788h-7667788; clientid=\"7689-jhgg-8765r-kkjggt\"; app=\" \"; QueryLetter=\"yard=MS&identification=VAM&timeRange=EVERYDAY&timePeriod=MINUTES", "
")
| mvexpand data
| rename data AS _raw
| extract

These are the fields extracted:

QueryLetter	app	authenticationid	clientid	identification	timePeriod	timeRange
"yard=MS		100\| \|35467577889999\| \|67775-ghhgfrt-6788h-7667788	7689-jhgg-8765r-kkjggt	MLAS	MINUTES	EVERYDAY
"yard=MS		100\| \|35467577889999\| \|67775-ghhgfrt-6788h-7667788	7689-jhgg-8765r-kkjggt	MLA	MINUTES	EVERYDAY
"yard=MS		100\| \|35467577889999\| \|67775-ghhgfrt-6788h-7667788	7689-jhgg-8765r-kkjggt	LAS	MINUTES	EVERYDAY
"yard=MS		100\| \|35467577889999\| \|67775-ghhgfrt-6788h-7667788	7689-jhgg-8765r-kkjggt	VAM	MINUTES	EVERYDAY

richgalloway · ‎01-12-2023

The rex command works for me.

| rex "identification=(?<identification>\w+)"

---
If this reply helps you, Karma would be appreciated.

Harish2 · ‎01-18-2023

Hi @richgalloway
it worked, thank you

How to create rex to extract field?

field extraction

Developer Spotlight with Brett Adams

Index This | What can you do to make 55,555 equal 500?

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...