Splunk Search

How to extract a string from a field that contains letters, numbers and characters?

Path Finder

731/5000
How to extract a field that can contain letters, numbers and characters, as in the example below?
The field to extract is the policyName that always comes preceded by the instanceId field.

Ex:

policyName = Unrestricted Inbound Access on network security groups instanceId = 5313
policyName = Unrestricted MongoDB Access in network security groups instanceId = 5313
policyName = [Exchange] - CPF totalMatchCount = 12 instanceId = 5319
policyName = Unencrypted OS disks instanceId = 5313
policyName = Check Disable Telnet (port 23) access on Network Security Groups from Internet instanceId = 5313

I have tried several ways, but it is only extracting the first word after the "=" sign, eg. "[Exchange]", "Unrestricted", etc ...

Can anyone help?

Thank you very much in advance.

0 Karma
1 Solution

Champion
| makeresults |eval x="Ex: policyName = Unrestricted Inbound Access on network security groups instanceId = 5313
policyName = Unrestricted MongoDB Access in network security groups instanceId = 5313
policyName = [Exchange] - CPF totalMatchCount = 12 instanceId = 5319
policyName = Unencrypted OS disks instanceId = 5313
policyName = Check Disable Telnet (port 23) access on Network Security Groups from Internet instanceId = 5313" | rex field=x "policyName+\s+\=(?<pname>.*?)instanceId" max_match=0

View solution in original post

0 Karma

Path Finder

To extract the field in inline mode.

I used this REGEX:

(?:policyName = (?P<policy>.*)instanceId)

Thank you very much.

0 Karma

Champion
| makeresults |eval x="Ex: policyName = Unrestricted Inbound Access on network security groups instanceId = 5313
policyName = Unrestricted MongoDB Access in network security groups instanceId = 5313
policyName = [Exchange] - CPF totalMatchCount = 12 instanceId = 5319
policyName = Unencrypted OS disks instanceId = 5313
policyName = Check Disable Telnet (port 23) access on Network Security Groups from Internet instanceId = 5313" | rex field=x "policyName+\s+\=(?<pname>.*?)instanceId" max_match=0

View solution in original post

0 Karma

Path Finder

Hi Sukisen!

It worked in search time. But inline extract does not. What would it look like for extract inline?

Thank you.

James

0 Karma

Champion

hi @jfeitosareal
It should work in inline search as well.
Is the inline search a table in a dashboard? If yes, check the time range of the search
it could be that your logs are multispaced in that case use this regex - `rex field=x "(?ms)policyName+\s+=(?.*?)instanceId" max
match=0`

0 Karma

Path Finder

Hi @Sukisen1981 .

In fact it is to extract the field without research.

I got it this way:

(?:policyName=(?P<policy>.*)instanceId)

Thanks for your attention, your example helped me find this result.

Thank you very much.

James []s

0 Karma