Solved: Re: How to extract value from raw events?

marco_massari11 · ‎02-15-2022

Hi,

I have different log types like:

<SQL > <TID: 0000000050> <RPC ID: 0002424958> <Queue: List > <Client-RPC: 390620 > <USER: *** > <Overlay-Group: 1 > /* Fri Feb 04 2022 17:47:10.0461 */SELECT * FROM ( SELECT T226.C1,C600000451 FROM T226 WHERE (('CC0000132482648' = T226.C600000451) AND ('7459898' = T226.C600000001)) ORDER BY 1 ASC ) WHERE ROWNUM <= 2

Or

<SQL > <TID: 0000000056> <RPC ID: 0002424078> <Queue: Fast > <Client-RPC: 390620 > <USER: *** > <Overlay-Group: 1 > /* Fri Feb 04 2022 17:46:53.9515 */SELECT C999003082 FROM T226 WHERE C1 = 'CC0000272965790'

I need to extract the CC* value, for example in this case CC0000132482648 (first log) and CC0000272965790 (second log).

Thanks in advance!

ITWhisperer · ‎02-15-2022

| rex "(?<ccvalue>CC\d+)"

View solution in original post

keen · ‎02-15-2022

Use regex (rex command) like

index=example_index | rex field=_raw (?<name_group>CC[0-9]*)

ITWhisperer · ‎02-15-2022

| rex "(?<ccvalue>CC\d+)"

How to extract value from raw events?

field extraction

fields

other

regex

rex

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?