Solved: How to extract a string from a long field containi...

dannili · ‎06-21-2018

Hi all, I'm trying to use use Rex to extract a specific value from a really long string which contains all kinds of characters. Here's one example:
The string I'm trying to extract:

Output","ToRenderDev":"","FromRenderDevDriver":"","ToRenderDevDriver":"","FromVPN":false,"ToVPN":false,"FromLinkSpeed":146080000,"ToLinkSpeed":1000000000,"FromNetworkConnectionDetail":"wifi","ToNetworkConnectionDetail":"wired","FromIPAddr":"52.114.60.71","ToIPAddr":"52.114.60.71","FromBssid":null,"ToBssid":null,"FromReflexiveLocalIPAddr":"98.210.208.202","ToReflexiveLocalIPAddr":"10.11.180.137","FromWifiDriverDeviceDesc":"","ToWifiDriverDeviceDesc":""

But I only need the IP address 52.114.60.71between the (...ToIPAddr":") and (","FromBssid...). Since the IP address string is between special characters it's kinda tricky to get the new field.

Does anyone know how to do this? Thanks a lot!

niketn · ‎06-21-2018

@dannili try the following run anywhere search based on the sample data provided.

| makeresults
| eval _raw=" Output\",\"ToRenderDev\":\"\",\"FromRenderDevDriver\":\"\",\"ToRenderDevDriver\":\"\",\"FromVPN\":false,\"ToVPN\":false,\"FromLinkSpeed\":146080000,\"ToLinkSpeed\":1000000000,\"FromNetworkConnectionDetail\":\"wifi\",\"ToNetworkConnectionDetail\":\"wired\",\"FromIPAddr\":\"52.114.60.71\",\"ToIPAddr\":\"52.114.60.71\",\"FromBssid\":null,\"ToBssid\":null,\"FromReflexiveLocalIPAddr\":\"98.210.208.202\",\"ToReflexiveLocalIPAddr\":\"10.11.180.137\",\"FromWifiDriverDeviceDesc\":\"\",\"ToWifiDriverDeviceDesc\":\"\""
| rex "ToIPAddr\":\"(?<ToIPAddr>[^\"]+)\",\"FromBssid\""

The rex command required is | rex "ToIPAddr\":\"(?<ToIPAddr>[^\"]+)\",\"FromBssid\""

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

niketn · ‎06-21-2018

@dannili try the following run anywhere search based on the sample data provided.

| makeresults
| eval _raw=" Output\",\"ToRenderDev\":\"\",\"FromRenderDevDriver\":\"\",\"ToRenderDevDriver\":\"\",\"FromVPN\":false,\"ToVPN\":false,\"FromLinkSpeed\":146080000,\"ToLinkSpeed\":1000000000,\"FromNetworkConnectionDetail\":\"wifi\",\"ToNetworkConnectionDetail\":\"wired\",\"FromIPAddr\":\"52.114.60.71\",\"ToIPAddr\":\"52.114.60.71\",\"FromBssid\":null,\"ToBssid\":null,\"FromReflexiveLocalIPAddr\":\"98.210.208.202\",\"ToReflexiveLocalIPAddr\":\"10.11.180.137\",\"FromWifiDriverDeviceDesc\":\"\",\"ToWifiDriverDeviceDesc\":\"\""
| rex "ToIPAddr\":\"(?<ToIPAddr>[^\"]+)\",\"FromBssid\""

The rex command required is | rex "ToIPAddr\":\"(?<ToIPAddr>[^\"]+)\",\"FromBssid\""

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

dannili · ‎06-24-2018

@niketnilay Thanks for your quick response. I have a follow up question tho, what if I have a column full of values like this, the eval_raw wouldn't work this time, would it? Is there a more general way?

niketn · ‎06-24-2018

@dannili, eval _raw is used just to generate dummy data as per your question. You need just the rex command after it.

<yourSearchToGetRawEvents>
 | rex "ToIPAddr\":\"(?<ToIPAddr>[^\"]+)\",\"FromBssid\""

Eventually once you have tested the regular expression in the rex command, you should move the same to Knowledge Object using Field Extraction.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

dannili · ‎06-24-2018

@niketnilay I got it! Thanks a lot!

How to extract a string from a long field containing special characters?

Splunk Community Platform Survey

Observability Highlights | November 2022 Newsletter

Avoid Certificate Expiry Issues in Splunk Enterprise with Certificate Assist