Solved: How to extract a field that appears in 3 different...

Bagaboo · ‎12-20-2015

Hello,

I am using Splunk Light to create a proof of concept with Splunk.

I have imported a .csv file. One of the columns has a "message".
The message sometimes contains an ActivityID.
The ActivityID has three inconsistent shapes:
1. ActivityID: 00000000-0000-0000-0000-000000000000
2. ActivityID 00000000-0000-0000-0000-000000000000
3. activityid_00000000-0000-0000-0000-000000000000

I want to extract the field based on the above.

I succeeded to extract the first one. When I add the second one, it fails to do so and throws an error.
I tried to create two different definitions with the same name. The seconds one fails because ActivityID already exists.

What are your recommendations?

MuS · ‎12-20-2015

Hi Bagaboo,

based on the examples, try this regex as your field extraction:

[Aa]ctivity[iIdD]+[\s:_]+(?<ActivityID>)[^$]+

you can verify it first in a search:

your base search here | rex "[Aa]ctivity[iIdD]+[\s:_]+(?<ActivityID>)[^$]+" | do more stuff

Hope this helps ...

cheers, MuS

View solution in original post

MuS · ‎12-20-2015

Hi Bagaboo,

based on the examples, try this regex as your field extraction:

[Aa]ctivity[iIdD]+[\s:_]+(?<ActivityID>)[^$]+

you can verify it first in a search:

your base search here | rex "[Aa]ctivity[iIdD]+[\s:_]+(?<ActivityID>)[^$]+" | do more stuff

Hope this helps ...

cheers, MuS

Bagaboo · ‎12-21-2015

Thank you MuS. Based on your input i tried...

[Aa]ctivity[iIdD]+[\s:_]+(?P<ActivityID>[^,]+)

...and it worked like a charm. It is extracting all three field variants and getting me the guids flawlessly. Although i got different results when i tried it in the search.

How to extract a field that appears in 3 different formats?

Enterprise Security Content Updates (ESCU) - New Releases

Thought Leaders are Validating Your Hard Work and Training Rigor

.conf23 Registration is Now Open!