Splunk Search

How to extract a value from a field with spaces?

yozhbk
Explorer

Hello,

I'm doing a simple alert, which looks like this:

SIP/3102-in-* you=* | table you, id

Which should extract 2 tables from message like this:

Aug  1 10:40:08 192.168.1.201 Aug  1 10:39:17 asterisk[4015]: VERBOSE[4015]:     -- Executing [s@default:1] Set("SIP/3102-in-00000000", "you=11111111111|id=""Caller ID""") in new stack

What I get in return is actually this:

"11111111 Caller" (in a table form of course), but the ID is missing. Anything that comes in only the first word before space is shown.

I understand it's due to the way I extract it, but I'm really not sure how to form a search to make it properly produce the full string. Any help is appreciated.

0 Karma
1 Solution

sundareshr
Legend

Try this

SIP/3102-in-* you=* | rex "id=\"\"(?<id>[^\"]+)" |  table you, id

View solution in original post

Jeremiah
Motivator

Try adding

| rex "id=\"\"(?<id>[^\"]+)"

to your search or

extract-ID=id=\"\"(?<id>[^\"]+)

to your props.conf stanza for this sourcetype.

0 Karma

yozhbk
Explorer

Thanks, but it seems to only work on some messages and not others....

0 Karma

gabriel_vasseur
Contributor

You would have more/better help if you actually posted examples and said "it worked for these ... but didn't work for those ...". Give as much detail as possible.

0 Karma

sundareshr
Legend

Try this

SIP/3102-in-* you=* | rex "id=\"\"(?<id>[^\"]+)" |  table you, id

yozhbk
Explorer

I think I got it, in the example I showed, I was testing with double "" around the ID= field, so it worked with that. But my regular messages look like this.

Aug  1 11:27:04 192.168.1.201 Aug  1 11:26:13 asterisk[4015]: VERBOSE[4015]:     -- Executing [s@default:1] Set("SIP/3102-in-00000000", "you=111111111|id=CALLER ID") in new stack

Really sorry for the confusion. I can add the double "" back, but I really do want to understand why just changing to

0 Karma

yozhbk
Explorer

Guys thank you so much. I figured it out. I guess I need to pay more attention. This is what my final search string looks like...

SIP/3102-in-* you=* | rex "id=(?[^\"]+)" |  table you, id

sundareshr
Legend

@yozhbk, please accept the answer to close it out

0 Karma

sundareshr
Legend

rex "id=\"\"(?[^)]+)" will not work because it is expecting r " after =. In your data, it appears, there's no quotes after the = sign. To capture, when no quotes, try this

SIP/3102-in-* you=* | rex "id=(?<id>[^\"]+)" |  table you, id
0 Karma

yozhbk
Explorer

rex "id=\"\"(?[^)]+)" doesnt work ?

0 Karma

yozhbk
Explorer

Hello,

It worked for one of the entrees, but not the others... The length is always changing and so does the placement of the space, basicly its a callers ID that i`m trying to extract.

0 Karma

sundareshr
Legend

This regex looks for id="" and captures everything after that till ", so the length should matter, as long as id="" exists. Can you share a sample where it doesn't match

0 Karma
Get Updates on the Splunk Community!

Routing Data to Different Splunk Indexes in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...

Getting Started with AIOps: Event Correlation Basics and Alert Storm Detection in ...

Getting Started with AIOps:Event Correlation Basics and Alert Storm Detection in Splunk IT Service ...

Register to Attend BSides SPL 2022 - It's all Happening October 18!

Join like-minded individuals for technical sessions on everything Splunk!  This is a community-led and run ...