Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to extract field name containing square brackets, "conn[SSL/TLS]=23832"?

dangerusty
Engager
‎03-09-2018 09:04 AM

I have an auto-extracted field name of "conn" (conn=12345), but if the connection is SSL, then the field name becomes "conn[SSL/TLS]". I'd like to use that field name while doing things like transaction, but i cant find any way to get around those square brackets. I've tried double quotes, single quotes, dollar signs, renaming it to "conn", field alias to "conn", escaping the brackets. I assume I need rex, but
I don't know where to start.

Ideally I'd like a search of "conn=12345" to include both field names (conn & conn[SSL/TLS] as if they were one, but I'd settle for a successful rename (conn=12345 OR connSSLTLS=12345).

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

wenthold
Communicator
‎03-30-2018 08:47 AM

In your field extraction, try the regex for the conn field:

conn(?:\[[^\]]+\])?=(?<value_to_extract>[0-9]+)

Breaking the regex down:

  • (?: - Start of non-capturing group
  • [ - Escaped bracket, it will match the open bracket in the event
  • [^]]+ - Move ahead until the close bracket is found in the event
  • ] - Match the close bracket in the event
  • ) - End the non-capturing group
  • ? - everything in in the capturing group is optional - will match conn=12345 or conn[ssl/tls]=12345

For the field to be extracted, [0-9]+ will capture every numeric character after the "=", but if you expect any non-numeric characters you'll have to account for that.

View solution in original post

Reply
Solved! Jump to solution
Solution

wenthold
Communicator
‎03-30-2018 08:47 AM

In your field extraction, try the regex for the conn field:

conn(?:\[[^\]]+\])?=(?<value_to_extract>[0-9]+)

Breaking the regex down:

  • (?: - Start of non-capturing group
  • [ - Escaped bracket, it will match the open bracket in the event
  • [^]]+ - Move ahead until the close bracket is found in the event
  • ] - Match the close bracket in the event
  • ) - End the non-capturing group
  • ? - everything in in the capturing group is optional - will match conn=12345 or conn[ssl/tls]=12345

For the field to be extracted, [0-9]+ will capture every numeric character after the "=", but if you expect any non-numeric characters you'll have to account for that.

Reply
Solved! Jump to solution

elliotproebstel
Champion
‎03-09-2018 09:51 AM

This can handle the very simple rename option:

| rename "*[*/*]*" AS ****
0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Reprocessing XML into Fixed-Length Events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Data Management Digest – December 2025

Welcome to the December edition of Data Management Digest! As we continue our journey of data innovation, the ...

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...