Splunk Search

How to extract a string from a long field containing special characters?

dannili
Communicator

Hi all, I'm trying to use use Rex to extract a specific value from a really long string which contains all kinds of characters. Here's one example:
The string I'm trying to extract:

Output","ToRenderDev":"","FromRenderDevDriver":"","ToRenderDevDriver":"","FromVPN":false,"ToVPN":false,"FromLinkSpeed":146080000,"ToLinkSpeed":1000000000,"FromNetworkConnectionDetail":"wifi","ToNetworkConnectionDetail":"wired","FromIPAddr":"52.114.60.71","ToIPAddr":"52.114.60.71","FromBssid":null,"ToBssid":null,"FromReflexiveLocalIPAddr":"98.210.208.202","ToReflexiveLocalIPAddr":"10.11.180.137","FromWifiDriverDeviceDesc":"","ToWifiDriverDeviceDesc":""

But I only need the IP address 52.114.60.71between the (...ToIPAddr":") and (","FromBssid...). Since the IP address string is between special characters it's kinda tricky to get the new field.

Does anyone know how to do this? Thanks a lot!

0 Karma
1 Solution

niketn
Legend

@dannili try the following run anywhere search based on the sample data provided.

| makeresults
| eval _raw=" Output\",\"ToRenderDev\":\"\",\"FromRenderDevDriver\":\"\",\"ToRenderDevDriver\":\"\",\"FromVPN\":false,\"ToVPN\":false,\"FromLinkSpeed\":146080000,\"ToLinkSpeed\":1000000000,\"FromNetworkConnectionDetail\":\"wifi\",\"ToNetworkConnectionDetail\":\"wired\",\"FromIPAddr\":\"52.114.60.71\",\"ToIPAddr\":\"52.114.60.71\",\"FromBssid\":null,\"ToBssid\":null,\"FromReflexiveLocalIPAddr\":\"98.210.208.202\",\"ToReflexiveLocalIPAddr\":\"10.11.180.137\",\"FromWifiDriverDeviceDesc\":\"\",\"ToWifiDriverDeviceDesc\":\"\""
| rex "ToIPAddr\":\"(?<ToIPAddr>[^\"]+)\",\"FromBssid\""

The rex command required is | rex "ToIPAddr\":\"(?<ToIPAddr>[^\"]+)\",\"FromBssid\""

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma

niketn
Legend

@dannili try the following run anywhere search based on the sample data provided.

| makeresults
| eval _raw=" Output\",\"ToRenderDev\":\"\",\"FromRenderDevDriver\":\"\",\"ToRenderDevDriver\":\"\",\"FromVPN\":false,\"ToVPN\":false,\"FromLinkSpeed\":146080000,\"ToLinkSpeed\":1000000000,\"FromNetworkConnectionDetail\":\"wifi\",\"ToNetworkConnectionDetail\":\"wired\",\"FromIPAddr\":\"52.114.60.71\",\"ToIPAddr\":\"52.114.60.71\",\"FromBssid\":null,\"ToBssid\":null,\"FromReflexiveLocalIPAddr\":\"98.210.208.202\",\"ToReflexiveLocalIPAddr\":\"10.11.180.137\",\"FromWifiDriverDeviceDesc\":\"\",\"ToWifiDriverDeviceDesc\":\"\""
| rex "ToIPAddr\":\"(?<ToIPAddr>[^\"]+)\",\"FromBssid\""

The rex command required is | rex "ToIPAddr\":\"(?<ToIPAddr>[^\"]+)\",\"FromBssid\""

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

dannili
Communicator

@niketnilay Thanks for your quick response. I have a follow up question tho, what if I have a column full of values like this, the eval_raw wouldn't work this time, would it? Is there a more general way?

0 Karma

niketn
Legend

@dannili, eval _raw is used just to generate dummy data as per your question. You need just the rex command after it.

<yourSearchToGetRawEvents>
 | rex "ToIPAddr\":\"(?<ToIPAddr>[^\"]+)\",\"FromBssid\""

Eventually once you have tested the regular expression in the rex command, you should move the same to Knowledge Object using Field Extraction.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

dannili
Communicator

@niketnilay I got it! Thanks a lot!

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...