Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to extract a value from a field?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
renanxavier
Explorer
08-21-2022
09:57 AM
Dear all
I have a search that returns the description of the windows event and I would like to extract the IP address informed in the text. How can I use rex command to return only that IP address?
Field example:
The server-side authentication level policy does not allow the user XXXXX SID (XXXXX) from address 192.168.10.100 to activate DCOM server. Please raise the activation authentication level at least to RPC_C_AUTHN_LEVEL_PKT_INTEGRITY in client application.
I would really appreciate it if someone could help me
Thanks
Br.,
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
gcusello
SplunkTrust
08-21-2022
10:01 AM
Hi @renanxavier,
if the field is called message, you could run something like this:
<your_search>
| rex field=message "address\s+(?<ip>\d+\.\d+\.\d+\.\d+)"
| table _time message ipyou can test the regex at https://regex101.com/r/HSQISX/1
Ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
renanxavier
Explorer
08-24-2022
05:47 AM
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
gcusello
SplunkTrust
08-21-2022
10:01 AM
Hi @renanxavier,
if the field is called message, you could run something like this:
<your_search>
| rex field=message "address\s+(?<ip>\d+\.\d+\.\d+\.\d+)"
| table _time message ipyou can test the regex at https://regex101.com/r/HSQISX/1
Ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
renanxavier
Explorer
08-23-2022
10:57 AM
Thank you so much @gcusello . It will be very helpful
Another question... How can I use regex to search the information that can come in other ways? Should I use conditions AND/OR? Let's suppose that this field can have the hostname (characters + numbers) or IP Address (numbers). How can I do this in the same regex?
The message should be:
...from address 192.168.10.100 to activate DCOM server...
OR
...from computer 192.168.10.100 to activate DCOM server...
OR
...from computer PCSCAX02 to activate DCOM server...
I can do this running regex three times with separated expression, but I think this is not a "smart way" to code 😕
Thanks
Br.,
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
gcusello
SplunkTrust
08-23-2022
11:51 PM
Hi @renanxavier,
as @yuanliu said, this is a new question and it's better to create a new question to have a quicker and probably better answer.
And it's better, for the other people of Community, to have an accepted answer.
Anyway, you can use the Splunk search features or the regex command.
The best approach is to create a fixed extraction for your field and use this new fields in the main search.
Otherwise you can use the search command or the regex command.
To create a fixed field extraction, you can use the IFX or a regex,
Ciao.
Giuseppe
P.S.: Karma Points are appreciated by all the Contributors 😉
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yuanliu
SplunkTrust
08-23-2022
07:40 PM
@renanxavier As @gcusello has given full solution to your original question, i.e., extract IP address, you should mark that answer as solution so this one is closed. Then if you have a different requirement, post new question.
Just as FYI, you can extract multiple values with one rex; in fact, if the message is structured (as certain types of logs often are), you can construct your expression based on that structure rather than based on characteristics of a particular component. For example, if I can make some assumptions about the structure of the messages, the following can extract various kinds of info in one command.
| rex " from (?<entity>\w+) (?<source>\S+) to (?<action>\w+) (?<type>\w+ server)"Regex is extremely versatile and a lot of fun. gcusello's answer includes a great resource to experiment and learn more.
Get Updates on the Splunk Community!
Demo Day: Strengthen Your SOC with Splunk Enterprise Security 8.1
Today’s threat landscape is more complex than ever. Security operation centers (SOCs) are overwhelmed with ...
Dashboards: Hiding charts while search is being executed and other uses for tokens
There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...
Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...
This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...
