Splunk Search

How to write regex to extract my field?

tlow
Explorer

Hi, i'm try using the interactive field extractor tools create a field for this

"Exception Message"="Thread was being aborted."

but getting following error "The generated regex was unable to match all examples (e.g., =, Thread was being aborted., Exception Message). Consider entering different examples, or manually editing the regex."

any suggestion a regex syntax or how to auto detect the field it?

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

If you're asking about extracting the field name along with the field value, you can do that with a combination of props.conf and transforms.conf:

props.conf

[your_sourcetype]
REPORT-kv = extract_quoted_fields
...

transforms.conf

[extract_quoted_fields]
REGEX = "(?<_KEY_1>([^"]|\\")+)"\s*=\s*"(?<_VAL_1>([^"]|\\")+)"

Make sure my Q'n'D regex actually suits your data, didn't test it myself. The main thing is to use the magic _KEY_x and _VAL_x names to extract both field names and field values in one swoop.

0 Karma

somesoni2
Revered Legend

For Search time

your base search | rex field=_raw "\"Exception Message\"=\"(?<ExceptionMessage>[^\"]*)\""

In Props.conf

EXTRACT-exceptionmsg = \"Exception Message\"=\"(?<ExceptionMessage>[^\"]*)\"

tlow
Explorer

works great, but how to setup it up so that splunk automatic recognize fields based on

"Exception Message"="*"

for example splunk recognize this Source=OAA.Security.PassiveSTS.Shell automatic assigning "Source" as the field,
thank-you for your help

0 Karma

tlow
Explorer

"Exception Message"="Thread was being aborted.", Source=OAA.Security.PassiveSTS.Shell, TargetSite="Void SignOutRequest()", WindowsIdentity="IIS APPPOOL\Test.com"

Above is the logs, but splunk auto assign the field to "Source" ,"TargetSite" and "WindowsIdentity" but not "Exception Message" or maybe the "

i want extract exception message "Exception Message"="*" or better to have it in props.conf to auto assign it.
thanks

0 Karma

somesoni2
Revered Legend

Can you post some complete sample events, along with the what string to extract?

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) v3.54.0

The Splunk Threat Research Team (STRT) recently released Enterprise Security Content Update (ESCU) v3.54.0 and ...

Using Machine Learning for Hunting Security Threats

WATCH NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more for ...

New Learning Videos on Topics Most Requested by You! Plus This Month’s New Splunk ...

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...