Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to extract a value from a field?

renanxavier
Explorer
‎08-21-2022 09:57 AM

Dear all

I have a search that returns the description of the windows event and I would like to extract the IP address informed in the text. How can I use rex command to return only that IP address?

Field example:

The server-side authentication level policy does not allow the user XXXXX SID (XXXXX) from address 192.168.10.100 to activate DCOM server. Please raise the activation authentication level at least to RPC_C_AUTHN_LEVEL_PKT_INTEGRITY in client application.

I would really appreciate it if someone could help me

Thanks
Br.,

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎08-21-2022 10:01 AM

Hi @renanxavier,

if the field is called message, you could run something like this:

<your_search>
| rex field=message "address\s+(?<ip>\d+\.\d+\.\d+\.\d+)"
| table _time message ip

you can test the regex at https://regex101.com/r/HSQISX/1

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution

renanxavier
Explorer
‎08-24-2022 05:47 AM

Hi @gcusello and @yuanliu 

Sorry for my confusion. I'm new here and I didn't know this community is working in this way. I will Accept the first answer as Solution and Close this.

Thank you

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎08-21-2022 10:01 AM

Hi @renanxavier,

if the field is called message, you could run something like this:

<your_search>
| rex field=message "address\s+(?<ip>\d+\.\d+\.\d+\.\d+)"
| table _time message ip

you can test the regex at https://regex101.com/r/HSQISX/1

Ciao.

Giuseppe

Reply
Solved! Jump to solution

renanxavier
Explorer
‎08-23-2022 10:57 AM

Thank you so much @gcusello . It will be very helpful

 

Another question... How can I use regex to search the information that can come in other ways? Should I use conditions AND/OR? Let's suppose that this field can have the hostname (characters + numbers) or IP Address (numbers).  How can I do this in the same regex?

The message should be:
...from address 192.168.10.100 to activate DCOM server...
OR
...from computer 192.168.10.100 to activate DCOM server...
OR
...from computer PCSCAX02 to activate DCOM server...


I can do this running regex three times with separated expression, but I think this is not a "smart way" to code 😕

 

Thanks

Br.,

Tags (1)
0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎08-23-2022 11:51 PM

Hi @renanxavier,

as @yuanliu said, this is a new question and it's better to create a new question to have a quicker and probably better answer.

And it's better, for the other people of Community, to have an accepted answer.

Anyway, you can use the Splunk search features or the regex command.

The best approach is to create a fixed extraction for your field and use this new fields in the main search.

Otherwise you can use the search command or the regex command.

To create a fixed field extraction, you can use the IFX or a regex,

Ciao.

Giuseppe

P.S.: Karma Points are appreciated by all the Contributors 😉

0 Karma
Reply
Solved! Jump to solution

yuanliu
SplunkTrust
SplunkTrust
‎08-23-2022 07:40 PM

@renanxavier As @gcusello has given full solution to your original question, i.e., extract IP address, you should mark that answer as solution so this one is closed. Then if you have a different requirement, post new question.

Just as FYI, you can extract multiple values with one rex; in fact, if the message is structured (as certain types of logs often are), you can construct your expression based on that structure rather than based on characteristics of a particular component.  For example, if I can make some assumptions about the structure of the messages, the following can extract various kinds of info in one command.

| rex " from (?<entity>\w+) (?<source>\S+) to (?<action>\w+) (?<type>\w+ server)"

 Regex is extremely versatile and a lot of fun.  gcusello's answer includes a great resource to experiment and learn more.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability Cloud’s AI Assistant in Action Series: Analyzing and ...

This is the second post in our Splunk Observability Cloud’s AI Assistant in Action series, in which we look at ...

Elevate Your Organization with Splunk’s Next Platform Evolution

 Thursday, July 10, 2025  |  11AM PDT / 2PM EDT Whether you're managing complex deployments or looking to ...

Splunk Answers Content Calendar, June Edition

Get ready for this week’s post dedicated to Splunk Dashboards! We're celebrating the power of community by ...
Top