Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Need to extract required fields using rex comm...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Friends
I am trying to extract required field from events using rex command. Can someone please help me, logs are given in attached doc.
I am new to rex command , Once i get below rex command then easy to understand
Below are fields need to extract
Kernel Audit Begin, Kernel Begin,pam_unix Begin,Postfix Begin,-SSHD Begin,Sudo (secure-log) Begin,Disk Space Begin
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi rakesh44,
let mi know: do you want to extract the following fields?
- TimeStamp
- Date Range Processed
- Detail Level of Output
- Type of Output/Format
- Logfiles for Host
If these are the fields to extract from the example you shared, try to use the following regex
Processing Initiated: (?<TimeStamp>\w+\s+\w+\s+\d+\s+\d+:\d+:\d+\s+\d+)\s+.*Date Range Processed:\s+yesterday\s+\(\s+(?<Date_Range>[^ ]*)\s+.*\s+.*\s+Detail Level of Output:(?<Level_of_input>[^ ]*)\s+Type of Output\/Format:\s+(?<Type>.*)\s*Logfiles for Host: (?<Logfile>[^ ]*)\s+\#
You can test it at https://regex101.com/r/JNMRCz/1
Bye.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi rakesh44,
let mi know: do you want to extract the following fields?
- TimeStamp
- Date Range Processed
- Detail Level of Output
- Type of Output/Format
- Logfiles for Host
If these are the fields to extract from the example you shared, try to use the following regex
Processing Initiated: (?<TimeStamp>\w+\s+\w+\s+\d+\s+\d+:\d+:\d+\s+\d+)\s+.*Date Range Processed:\s+yesterday\s+\(\s+(?<Date_Range>[^ ]*)\s+.*\s+.*\s+Detail Level of Output:(?<Level_of_input>[^ ]*)\s+Type of Output\/Format:\s+(?<Type>.*)\s*Logfiles for Host: (?<Logfile>[^ ]*)\s+\#
You can test it at https://regex101.com/r/JNMRCz/1
Bye.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Gcusello , it worked for me rest I would create it
Processing Initiated: (?\w+\s+\w+\s+\d+\s+\d+:\d+:\d+\s+\d+)\s+.Date Range Processed:\s+yesterday\s+(\s+(?[^ ])\s+.\s+.\s+Detail Level of Output:(?[^ ])\s+Type of Output\/Format:\s+(?.)\s*Logfiles for Host: (?[^ ]*)\s+#
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Good!
if you're satisfied of this answer, please accept and/or upvote it.
At the next time.
Bye.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
can you give me the sample value of extraction required for Kernel Audit Begin?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have to prepare dashboard for each field as mentioned, hence need all values of fields.
Kernel Audit Begin : Nee all values of field
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Unmatched Entries (Only first 100 out of 127 are printed)
dispatch err (pipe full) event lost
dispatch error reporting limit reached - ending report notification.
Splunk Observability for AI
Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...
Splunk Observability as Code: From Zero to Dashboard
