Splunk Search

How to extract a value from a field with spaces?

yozhbk
Explorer

Hello,

I'm doing a simple alert, which looks like this:

SIP/3102-in-* you=* | table you, id

Which should extract 2 tables from message like this:

Aug  1 10:40:08 192.168.1.201 Aug  1 10:39:17 asterisk[4015]: VERBOSE[4015]:     -- Executing [s@default:1] Set("SIP/3102-in-00000000", "you=11111111111|id=""Caller ID""") in new stack

What I get in return is actually this:

"11111111 Caller" (in a table form of course), but the ID is missing. Anything that comes in only the first word before space is shown.

I understand it's due to the way I extract it, but I'm really not sure how to form a search to make it properly produce the full string. Any help is appreciated.

0 Karma
1 Solution

sundareshr
Legend

Try this

SIP/3102-in-* you=* | rex "id=\"\"(?<id>[^\"]+)" |  table you, id

View solution in original post

Jeremiah
Motivator

Try adding

| rex "id=\"\"(?<id>[^\"]+)"

to your search or

extract-ID=id=\"\"(?<id>[^\"]+)

to your props.conf stanza for this sourcetype.

0 Karma

yozhbk
Explorer

Thanks, but it seems to only work on some messages and not others....

0 Karma

gabriel_vasseur
Contributor

You would have more/better help if you actually posted examples and said "it worked for these ... but didn't work for those ...". Give as much detail as possible.

0 Karma

sundareshr
Legend

Try this

SIP/3102-in-* you=* | rex "id=\"\"(?<id>[^\"]+)" |  table you, id

yozhbk
Explorer

I think I got it, in the example I showed, I was testing with double "" around the ID= field, so it worked with that. But my regular messages look like this.

Aug  1 11:27:04 192.168.1.201 Aug  1 11:26:13 asterisk[4015]: VERBOSE[4015]:     -- Executing [s@default:1] Set("SIP/3102-in-00000000", "you=111111111|id=CALLER ID") in new stack

Really sorry for the confusion. I can add the double "" back, but I really do want to understand why just changing to

0 Karma

yozhbk
Explorer

Guys thank you so much. I figured it out. I guess I need to pay more attention. This is what my final search string looks like...

SIP/3102-in-* you=* | rex "id=(?[^\"]+)" |  table you, id

sundareshr
Legend

@yozhbk, please accept the answer to close it out

0 Karma

sundareshr
Legend

rex "id=\"\"(?[^)]+)" will not work because it is expecting r " after =. In your data, it appears, there's no quotes after the = sign. To capture, when no quotes, try this

SIP/3102-in-* you=* | rex "id=(?<id>[^\"]+)" |  table you, id
0 Karma

yozhbk
Explorer

rex "id=\"\"(?[^)]+)" doesnt work ?

0 Karma

yozhbk
Explorer

Hello,

It worked for one of the entrees, but not the others... The length is always changing and so does the placement of the space, basicly its a callers ID that i`m trying to extract.

0 Karma

sundareshr
Legend

This regex looks for id="" and captures everything after that till ", so the length should matter, as long as id="" exists. Can you share a sample where it doesn't match

0 Karma
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

March Community Office Hours Security Series Uncovered!

Hello Splunk Community! In March, Splunk Community Office Hours spotlighted our fabulous Splunk Threat ...

Stay Connected: Your Guide to April Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars in April. This post ...