Re: How to extract the field by using regex?

Peru123 · ‎12-08-2022

Hi , I need to extract the value FISOBPIT10101 from the below lines.

message:PSUS7|8897|FISOBPIT10101|OWA|8897|8897|SignOnID|SPT|adding routing key in producer

yuanliu · ‎12-08-2022

Depending on whether the leading phrase "message" and the trailing phrases such as "adding routing key in producer" are important, you can use rex or just

If those phrases are unimportant, use split. It is more efficient.

| eval of_interest = mvindex(split(your_field, "|"), 2)

If the first phrase and the last are important,

| rex field=your_field "message:(\d+|){2}(?<of_interest>\w+)(|\d+){5}|adding routing key in producer"

ITWhisperer · ‎12-08-2022

| rex "([^|]+\|){2}(?<field>[^|]+)"

https://regex101.com/r/UTPJb4/1

Peru123 · ‎12-08-2022

Hi , I need this value only FISOBPIT10101

ITWhisperer · ‎12-08-2022

| rex "([^|]+\|){2}(?<field>FISOBPIT10101)"

StefanoA · ‎12-08-2022

You could go with | erex , if you're not expert with RegExs.

Otherwise, assuming the value is always in that position and not assuming a specific set of alphanumeric values, go with the following (13 steps per log, very efficient)

| rex field=<yourFieldOr_raw> "^(?:[^\|\v]*+\|){2}(?<yourValue>[^\|\v]*)"

How to extract the field by using regex?

regex

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

Observability Highlights | January 2023 Newsletter