Splunk Search

Regex: Help extracting user ID, session ID, and browser

reverse
Contributor
2019.06.26 13.18.18.186 ERROR presentation [WebContainer : 5]: **********Browser information - ***********Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko ** Session ID is ** - xZB1wEDYSWWEOxE3Hh9ke1GWnsRuEyZRY_PtogsnSU28-17Wx ****** User ID ******uhyh\abcdefg** Is User using privacy/inCognito mode : **false** User using tab with ID : **2ee981ea-3eb4-4982-bdbb-6ff0d4a4c242

Please help me with extracting:

  • user id =uhyh\abcdefg
  • session id = xZB1wEDYSWWEOxE3Hh9ke1GWnsRuEyZRY_PtogsnSU28-17Wx
  • browser = Mozilla/5.0

Please guide.

0 Karma
1 Solution

Vijeta
Influencer

@reverse - Use these for each field

| rex field=_raw "\*{0,10}Browser\s+information{0,20} - \*{0,20}(?<browser>.*) \(" | rex field=_raw "Session ID is \*{2} - (?<session>\S+)" | rex field=_raw "User ID \*{1,10}(?<user>\S+)\*{2}"

View solution in original post

0 Karma

niketn
Legend

@reverse try the rex from the following run anywhere example | rex "Browser\sinformation\s\-\s\*+(?<BrowserInfo>[^\s]+).*Session ID is \*+\s\-\s(?<SessionID>[^\*]+)\*+\sUser\sID\s\*+(?<UserID>[^\*]+)\*+"

| makeresults
| eval _raw=" 2019.06.26 13.18.18.186 ERROR presentation [WebContainer : 5]: **********Browser information - ***********Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko ** Session ID is ** - xZB1wEDYSWWEOxE3Hh9ke1GWnsRuEyZRY_PtogsnSU28-17Wx ****** User ID ******uhyh\abcdefg** Is User using privacy/inCognito mode : **false** User using tab with ID : **2ee981ea-3eb4-4982-bdbb-6ff0d4a4c242"
| table _time _raw
| rex "Browser\sinformation\s\-\s\*+(?<BrowserInfo>[^\s]+).*Session ID is \*+\s\-\s(?<SessionID>[^\*]+)\*+\sUser\sID\s\*+(?<UserID>[^\*]+)\*+"
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

Vijeta
Influencer

@reverse - Use these for each field

| rex field=_raw "\*{0,10}Browser\s+information{0,20} - \*{0,20}(?<browser>.*) \(" | rex field=_raw "Session ID is \*{2} - (?<session>\S+)" | rex field=_raw "User ID \*{1,10}(?<user>\S+)\*{2}"
0 Karma

reverse
Contributor

one minor update @Vijeta .. i added ? after * to make it not greedy to match (.. there were many ( in my logs ..
by putting ? it worked perfectly ..

0 Karma

reverse
Contributor

Amazing ..Thanks a ton!

0 Karma

reverse
Contributor

Please guide. @jnudell_2 @Vijeta

0 Karma
Get Updates on the Splunk Community!

How to Get Started with Splunk Data Management Pipeline Builders (Edge Processor & ...

If you want to gain full control over your growing data volumes, check out Splunk’s Data Management pipeline ...

Out of the Box to Up And Running - Streamlined Observability for Your Cloud ...

  Tech Talk Streamlined Observability for Your Cloud Environment Register    Out of the Box to Up And Running ...

Splunk Smartness with Brandon Sternfield | Episode 3

Hello and welcome to another episode of "Splunk Smartness," the interview series where we explore the power of ...