Splunk Search

Regex: Help extracting user ID, session ID, and browser

reverse
Contributor
2019.06.26 13.18.18.186 ERROR presentation [WebContainer : 5]: **********Browser information - ***********Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko ** Session ID is ** - xZB1wEDYSWWEOxE3Hh9ke1GWnsRuEyZRY_PtogsnSU28-17Wx ****** User ID ******uhyh\abcdefg** Is User using privacy/inCognito mode : **false** User using tab with ID : **2ee981ea-3eb4-4982-bdbb-6ff0d4a4c242

Please help me with extracting:

  • user id =uhyh\abcdefg
  • session id = xZB1wEDYSWWEOxE3Hh9ke1GWnsRuEyZRY_PtogsnSU28-17Wx
  • browser = Mozilla/5.0

Please guide.

0 Karma
1 Solution

Vijeta
Influencer

@reverse - Use these for each field

| rex field=_raw "\*{0,10}Browser\s+information{0,20} - \*{0,20}(?<browser>.*) \(" | rex field=_raw "Session ID is \*{2} - (?<session>\S+)" | rex field=_raw "User ID \*{1,10}(?<user>\S+)\*{2}"

View solution in original post

0 Karma

niketnilay
Legend

@reverse try the rex from the following run anywhere example | rex "Browser\sinformation\s\-\s\*+(?<BrowserInfo>[^\s]+).*Session ID is \*+\s\-\s(?<SessionID>[^\*]+)\*+\sUser\sID\s\*+(?<UserID>[^\*]+)\*+"

| makeresults
| eval _raw=" 2019.06.26 13.18.18.186 ERROR presentation [WebContainer : 5]: **********Browser information - ***********Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko ** Session ID is ** - xZB1wEDYSWWEOxE3Hh9ke1GWnsRuEyZRY_PtogsnSU28-17Wx ****** User ID ******uhyh\abcdefg** Is User using privacy/inCognito mode : **false** User using tab with ID : **2ee981ea-3eb4-4982-bdbb-6ff0d4a4c242"
| table _time _raw
| rex "Browser\sinformation\s\-\s\*+(?<BrowserInfo>[^\s]+).*Session ID is \*+\s\-\s(?<SessionID>[^\*]+)\*+\sUser\sID\s\*+(?<UserID>[^\*]+)\*+"
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

Vijeta
Influencer

@reverse - Use these for each field

| rex field=_raw "\*{0,10}Browser\s+information{0,20} - \*{0,20}(?<browser>.*) \(" | rex field=_raw "Session ID is \*{2} - (?<session>\S+)" | rex field=_raw "User ID \*{1,10}(?<user>\S+)\*{2}"
0 Karma

reverse
Contributor

one minor update @Vijeta .. i added ? after * to make it not greedy to match (.. there were many ( in my logs ..
by putting ? it worked perfectly ..

0 Karma

reverse
Contributor

Amazing ..Thanks a ton!

0 Karma

reverse
Contributor

Please guide. @jnudell_2 @Vijeta

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...