Splunk Search
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to extract text from Message field

HMIPowell
Explorer
‎05-19-2021 11:47 AM

This should be something simple to figure out, but I can't get it to work.  I want to extract username from Message field of Sec Event Log


Message=NPS Extension for Azure MFA: CID: 6gof474f-4g9d-894f-asb-9abffedxs618 : Access Accepted for user Barry.Allen@LexLIndustries.org with Azure MFA response: Success and message: session r334r562-cf4f-7584-afc5-essdfs4dd67
 
I want to pull the email address after 'user' in message and assign it to a field. Any help appreciated. 
Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

HMIPowell
Explorer
‎05-20-2021 04:47 AM

I was able to use the following to get what I needed.

| rex field=Message "\S*user (?<TestField>\S*)"

Thanks for some of the ideas

View solution in original post

0 Karma
Reply
Solved! Jump to solution

dhirendra761
Contributor
‎05-19-2021 01:27 PM 
| makeresults 
| eval Message="NPS Extension for Azure MFA: CID: 6gof474f-4g9d-894f-asb-9abffedxs618 : Access Accepted for user Barry.Allen@LexLIndustries.org with Azure MFA response: Success and message: session r334r562-cf4f-7584-afc5-essdfs4dd67"
| rex field=Message "user (?<email>.*) with"
0 Karma
Reply
Solved! Jump to solution
Solution

HMIPowell
Explorer
‎05-20-2021 04:47 AM

I was able to use the following to get what I needed.

| rex field=Message "\S*user (?<TestField>\S*)"

Thanks for some of the ideas

0 Karma
Reply
Solved! Jump to solution

vaishalireddy
New Member
‎05-30-2022 11:12 PM

What is <TestField> here?

0 Karma
Reply
Solved! Jump to solution

96nick
Communicator
‎05-19-2021 12:13 PM

Hey HMIPowell,

If your goal was to do this at search time (meaning in your search) you will use the rex command to accomplish this. There are multiple ways to do the regex and the final solution will depend on what the other logs in your search look like. One way to accomplish this field extraction is to use lookaheads and lookbehinds.

 

| yoursearch

| rex field=Message "((?<email>)?<=user)(.+?(?=with))"

| restofsearch

This will extract the email field by taking the text between (and not including) the words 'user' and 'with'. This may not work in your environment if other similar logs are present.

 

0 Karma
Reply
Get Updates on the Splunk Community!

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...

The Latest Cisco Integrations With Splunk Platform!

Join us for an exciting tech talk where we’ll explore the latest integrations in Cisco &#43; Splunk! We’ve ...

AI Adoption Hub Launch | Curated Resources to Get Started with AI in Splunk

Hey Splunk Practitioners and AI Enthusiasts! It’s no secret (or surprise) that AI is at the forefront of ...
li.common.scroll-to.top