Splunk Search

How to generate the regex to extract distinct values of this field?

lsy9891
Engager

Hi,

I have events with the field WindowsIdentity. Some examples of this field values are:

WindowsIdentity: IIS APPPOOL\login20.monster.com
IIS APPPOOL\ jobs.monster.com
IIS APPPOOL\ hiring.channels.monster.com_jcm
IIS APPPOOL\ wwwcs.channels.monster.com

I tried extracting it with the IFX and I used it like this: rex field=WindowsIdentity "(?P\w+)" but it extracts IIS instead of the text highlighted in bold?

Tags (3)
0 Karma

wenthold
Communicator

I'm not entirely clear how your messages are actually formatted - is "WindowsIdentity" the name of the field and also part of the field? are all these lines part of the same message and you want to skip the first value - "WindowsIdentity: IIS APPPOOL\login20.monster.com"?

Maybe this will work:

{ ... base search ... }
| rex max_match=100 field=WindowsIdentity "IIS APPPOOL\\\+\s?(?<App>.*?)\.monster\.com"
| eval app_count=mvcount(App) | eval App=mvindex(App,1,app_count)
0 Karma

KailA
Contributor

Hello,

You can try this regex

| rex field=WindowsIdentity "(?<yourNewField>[\w\.]+)\.monster"

This is an example :

| makeresults
| eval WindowsIdentity = "IIS APPPOOL\ jobs.monster.com"
| rex field=WindowsIdentity "(?<yourNewField>\w+)\.monster"
0 Karma

lsy9891
Engager

Hi, the rex command extracted some important info from the URL. For example,

IIS APPPOOL\career-advice.monster.com should be extracted to career-advice and not channels. Basically, anything that's between \ and monster.com. How should I fix that?

0 Karma

KailA
Contributor

Hello,

This regex is a bit greedy but its doing exactly what you ask:

| makeresults
 | eval WindowsIdentity = "IIS APPPOOL\career-advice.monster.com"
 | rex field=WindowsIdentity "\\\\(?<yourNewField>.*)\.monster"

If you need another regex that is a bit more safe you can use this one :

| makeresults
| eval WindowsIdentity = "IIS APPPOOL\career-advice.monster.com"
| rex field=WindowsIdentity "\\\\(?<yourNewField>[\w\-\.]+)\.monster"

And if it's not matching a particular character you can add it to this part [\w\-\.]+

0 Karma

memarshall63
Communicator

Yep. I like @KailA 's last one best. I'm suffering from \\ (backslash-backslash) whiplash. 🐵 Suggest letting https://regex101.com/ help you get to the end of it.

0 Karma

memarshall63
Communicator
 | rex field=WindowsIdentity "IIS APPPOOL\\(?P<yourNewField>[.\w]+).monster"
0 Karma

lsy9891
Engager

I got Error in 'rex' command: Encountered the following error while compiling the regex 'IIS APPPOOL(?P[.\w]+).monster': Regex: unmatched closing parenthesis

0 Karma