Solved: How to fetch unique session strings

rajasek · ‎02-26-2015

How can we get all unique session strings from log which can contains all combinations of characters , symbols and digits,
below are the examples of log. i want to target highlighted strings.

ERROR - zrnGuiw32!1424968190354 rrr19876055

**** Error _2zG4484222!-131990868 gdffg19876055

INFO - 2XH-s0aGm2!-1319620932!14267 yyu9879tyuy

Thanks

somesoni2 · ‎02-27-2015

Are these full log entries OR you just posted a portion of it?
If these are full log entries and if your unique session strings are always in 3rd position, then try something like this

your base search | rex "^([^\s]+\s){2}(?<SessionString>[^\s]+)"

View solution in original post

cpetterborg · ‎02-27-2015

somesoni2's example works great if it is always in the 3rd position. But if that is not the case, you may want additional options. If the session id's are the 2nd to the last fields on the line, then you can do this:

your base search | rex "\s(?<SessionString>[^\s]+)\s+[^\s]+$"

So much depends on seeing a complete set of representative examples. Hopefully these are really representative of the data.

somesoni2 · ‎02-27-2015

Are these full log entries OR you just posted a portion of it?
If these are full log entries and if your unique session strings are always in 3rd position, then try something like this

your base search | rex "^([^\s]+\s){2}(?<SessionString>[^\s]+)"

rajasek · ‎03-02-2015

It worked for me. Thank you so much.
No those are not full log entries, but the regex which you provided is worked 🙂

How to fetch unique session strings

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio