Splunk Search

How to custom field extract for the field "ending with"?

e400425
New Member

My sample log (Modified to remove confidential data) looks like following.

Apr  9 13:54:13 10.195.247.77 04/09/2018:07:38:18 GMT CitrixNetscalerDevice1 0-PPE-1 : default SSLVPN ICASTART 8054764 0 :  Source 192.168.247.221:11905 - Destination 10.196.164.81:1494 - username:domainname User1:Region1 - applicationName BusinessApp WorkSpace $S2-2 - startTime "04/09/2018:07:38:18 GMT" - connectionId 848984
Apr  9 13:54:12 10.195.247.77 04/09/2018:07:38:17 GMT CitrixNetscalerDevice1 0-PPE-3 : default SSLVPN ICASTART 8060292 0 :  Source 192.168.213.191:10528 - Destination 172.26.22.255:1494 - username:domainname User2:Region1 - applicationName BusienssVDI-2_0-W-P-006-T2 $S10-10 - startTime "04/09/2018:07:38:17 GMT" - connectionId 911007
Apr  9 13:54:05 169.76.248.92 04/09/2018:07:57:59 GMT CitrixNetscalerDevice2 0-PPE-1 : default SSLVPN ICASTART 5981923 0 :  Source 192.168.235.25:10583 - Destination 10.117.16.219:1494 - username:domainname User3:Region3 - applicationName BusinessApp WorkSpace $S2-2 - startTime "04/09/2018:07:57:59 GMT" - connectionId 9e590d
Apr  9 13:54:05 169.76.248.92 04/09/2018:07:57:59 GMT CitrixNetscalerDevice2 0-PPE-1 : default SSLVPN ICASTART 5981922 0 :  Source 192.168.206.28:10420 - Destination 172.28.79.20:1494 - username:domainname User4:Region2 - applicationName BusienssVDI-2_0-W-P-001-T1 $S1-1 - startTime "04/09/2018:07:57:59 GMT" - connectionId 9e590c
Apr  9 13:54:03 169.76.248.92 04/09/2018:07:57:58 GMT CitrixNetscalerDevice2 0-PPE-2 : default SSLVPN ICASTART 5482686 0 :  Source 192.168.221.39:10693 - Destination 169.77.183.175:1494 - username:domainname User5:Region3 - applicationName Remote Desktop Connection - startTime "04/09/2018:07:57:57 GMT" - connectionId 9a7052
Apr  9 13:54:02 10.117.59.155 04/09/2018:13:54:02 GMT CitrixNetscalerDevice3 0-PPE-3 : default SSLVPN ICASTART 4865811 0 :  Source 192.168.224.220:11758 - Destination 169.76.140.48:1494 - username:domainname User6:Region3 - applicationName MyFULLSCREEN - startTime "04/09/2018:13:54:02 GMT" - connectionId a524a0
Apr  9 13:54:01 10.195.247.100 04/09/2018:13:54:01 GMT CitrixNetscalerDevice4 0-PPE-2 : default SSLVPN ICASTART 7084575 0 :  Source 192.168.244.50:11904 - Destination 10.196.196.217:1494 - username:domainname User7:Region1 - applicationName BusienssVDI-2_0-W-P-001-T1 $S2-1 - startTime "04/09/2018:13:54:01 GMT" - connectionId 82a028

My Splunk Query to retrieve important fields search time is as per following.

index=MyIndex ICAEND NOT ANONYMOUS
| rex field=_raw "GMT (?P<CAGName>[^\s]+)" 
| eval CAGName=upper(CAGName) 
| rex field=_raw "username:domainname (?P<CAGUserName>\w+)"
| eval CAGUserName=upper(CAGUserName)
| rex field=_raw "\s\"(?<StartTime>\d+\/\d+\/\d+\:\d+:\d+:\d+\sGMT)"
| rex field=_raw "Source\s(?<Source>\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3})"
| rex field=_raw "Destination\s(?<Destination>\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3})"
| table StartTime,CAGUserName,CAGName,Source,Destination

I want to do custom field extract for ApplicationName i.e. everything in between word "applicationName\s" and "-\sstartTime".
So,

    | rex field=_raw "applicationName\s(?<ApplicationName>HelpMeWriteSomethingHereToDoCustomFieldExtact)"

Can someone help me complete following?

0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

Try like this

...| rex field=_raw "applicationName\s(?<ApplicationName>.+)\s-\sstartTime"

View solution in original post

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Try like this

...| rex field=_raw "applicationName\s(?<ApplicationName>.+)\s-\sstartTime"
0 Karma

somesoni2
SplunkTrust
SplunkTrust

If the position of the values you want to extract doesn't change, you can combine multiple field extraction into one like this:

index=MyIndex ICAEND NOT ANONYMOUS
| rex "^(\S+\s+){6}(?P<CAGName>\S+).+\sSource\s+(?<Source>\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3})\s+-\s+Destination\s+(?<Destination>\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3})\s+-\s+username:domainname\s+(?P<CAGUserName>\S+)\s+-\s+applicationName\s(?<ApplicationName>.+)\s+-\s+startTime\s+\"(?<StartTime>[^\"]+)\"\s+-\s+connectionId\s+(?<ConnectionId>\S+)"
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...