Solved: How to parse specific value from a field value?

wicke_s · ‎06-14-2019

Disclaimer : I'm new to Regex and using the Rex function

I have a field "Message" that has the following string format:

"EWT_Print=282, CIQ=1, Did not meet the threshold, 009s5td"

All the Message field values are going to have the same format "EWT_Print=[some number], CIQ=[some number], some text"

I am trying to extract the value of the EWT_Print, in this example 282 and display it in a table, however, I always get an empty table when I try this:

<my base search> | rex field=Message "EWT_Print=(?<EWT>[0-9]+)*"

What am I doing wrong?

jnudell_2 · ‎06-17-2019

Try:

... [ your search ] ... 

| rex "EWT_Print=(?<EWT>[^,]+),"

If that works, then try:

... [ your search ] ... 

| rex field=Message "EWT_Print=(?<EWT>[^,]+),"

View solution in original post

VatsalJagani · ‎06-18-2019

@wicke_s - Try this regex. (make sure field Message is not containing "(quote) in value.)

^EWT_Print=(?<EWT_Printer>\d+),

pranay_adla · ‎06-18-2019

  <base search> | rex field=Message "EWT_Print\=(?P<EWT>\d+)\,"

vnravikumar · ‎06-18-2019

Hi

Try this,

| makeresults 
| eval Message = "EWT_Print=282, CIQ=1, Did not meet the threshold, 009s5td" 
| rex field=Message "EWT_Print\=(?P<EWT>[\d]+)"

jnudell_2 · ‎06-17-2019

Try:

... [ your search ] ... 

| rex "EWT_Print=(?<EWT>[^,]+),"

If that works, then try:

... [ your search ] ... 

| rex field=Message "EWT_Print=(?<EWT>[^,]+),"

wicke_s · ‎06-18-2019

This did the trick, The ',' is what I was missing.....

<search> | rex "EWT_Print=(?<EWT>[0-9]+),"

is the query that worked for me. Thanks a lot

jkat54 · ‎06-14-2019

Are you searching in verbose mode? Because verbose mode auto extracts key value pairs like these you have.

If not in verbose mode you can use the '| extract' command to achieve the same result.

wicke_s · ‎06-14-2019

Thanks for your reply! I am searching in verbose mode and I also tried the search with the "extract" keyword. Still returns empty table

jkat54 · ‎06-15-2019

What's your full search?

wicke_s · ‎06-17-2019

index=<index> sourcetype=<sourcetype> Message="EWT_Print*" | rex field=Extended_Field.Message "EWT_Print=(?<EWT>[0-9]+)"| table EWT

jkat54 · ‎06-17-2019

Try renaming the field first
...
| rename Extended_Field.Message as message
| rex field=message
...

richgalloway · ‎06-14-2019

Your regex looks good, although the * is not needed. It works in regex101.com. Have you tried without the *?

---
If this reply helps you, Karma would be appreciated.

wicke_s · ‎06-14-2019

Yes, I got the regex from regex101.com 🙂

I tried without the * and it still doesn't work. I tried without the table and I could see I have at least 133 events matching the search, however the rex still doesn't work.

Thanks for taking the time to look into this!

How to parse specific value from a field value?

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

AppDynamics is now part of Splunk Ideas

Advanced Splunk Data Management Strategies