Splunk Search

How to use rex command to extract value from the end of an event?

jambraun
Explorer

I know this type of question has been asked many times before, but I haven't been able to get results from using REX. Time to ask an expert.

Here's a typical event from a search:

9/22/16
4:55:03.000 PM  

2016-09-22 20:55:03+00:00 server.domain.com F5-BIGIP-SYSTEM-MIB::sysCmSyncStatusSummary.0 = STRING: All devices in the device group are in sync

host = server  
 source = /data/snmp/team_metrics_f5/teamMetricsF5__2016-09-22__server.log  
 sourcetype =team_metrics_snmp

I want to capture the value after STRING: "; e.g "All devices in the device group are in sync. This won't always be the value of course.

Here's the search string I was toying with that yielded 0 results:

index=team_f5_metrics F5-BIGIP-SYSTEM-MIB::sysCmSyncStatusSummary.0 | rex "STRING: (?<\Sync_Status>\d+)$" | table Sync_Status
index=team_f5_metrics F5-BIGIP-SYSTEM-MIB::sysCmSyncStatusSummary.0 | rex "STRING: (?"<\sync_status>\w+)$" | table Sync_Status

I couldn't figure out how to get the "<" to show up, so ignore the "\" in the field name

Thanks everyone!

--Jarred

Tags (3)
0 Karma
1 Solution

lquinn
Contributor

I think the structure of your query is fine - your regex just doesn't quite work. The first one you tried is looking for a string of digits, the second one a string of word characters. Neither of these look for spaces so if you are trying to capture a string which contains spaces you will need to add this into your regex as well. So you could use something like this ...

index=team_f5_metrics F5-BIGIP-SYSTEM-MIB::sysCmSyncStatusSummary.0 | rex "STRING: (?<Sync_Status>[\w\s]+)$" | table Sync_Status

Alternatively, you could open your regex up further, in case other characters might appear in the string, by using .* like this ...

 index=team_f5_metrics F5-BIGIP-SYSTEM-MIB::sysCmSyncStatusSummary.0 | rex "STRING: (?<Sync_Status>.*)$" | table Sync_Status

View solution in original post

lquinn
Contributor

I think the structure of your query is fine - your regex just doesn't quite work. The first one you tried is looking for a string of digits, the second one a string of word characters. Neither of these look for spaces so if you are trying to capture a string which contains spaces you will need to add this into your regex as well. So you could use something like this ...

index=team_f5_metrics F5-BIGIP-SYSTEM-MIB::sysCmSyncStatusSummary.0 | rex "STRING: (?<Sync_Status>[\w\s]+)$" | table Sync_Status

Alternatively, you could open your regex up further, in case other characters might appear in the string, by using .* like this ...

 index=team_f5_metrics F5-BIGIP-SYSTEM-MIB::sysCmSyncStatusSummary.0 | rex "STRING: (?<Sync_Status>.*)$" | table Sync_Status

jambraun
Explorer

Brilliant. Thank you! I'm still learning syntax. I know there are about 10 different ways to accomplish this but I particularly like the catch all *.

0 Karma

MuS
SplunkTrust
SplunkTrust

Hi jambraun,

your regex either matches only number or any word character. So by changing it into this:

index=team_f5_metrics F5-BIGIP-SYSTEM-MIB::sysCmSyncStatusSummary.0 
| rex "STRING: (?<Sync_Status>[^$]+?)$" 
| table Sync_Status

you should be able to get everything after STRING until the end of line. Tested and working on regex101.com

Hope this helps ...

cheers, MuS

0 Karma

jambraun
Explorer

Works as well 🙂 Thank you for the example.

0 Karma
Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...