Splunk Search

Regex: Help extracting user ID, session ID, and browser

reverse
Contributor
2019.06.26 13.18.18.186 ERROR presentation [WebContainer : 5]: **********Browser information - ***********Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko ** Session ID is ** - xZB1wEDYSWWEOxE3Hh9ke1GWnsRuEyZRY_PtogsnSU28-17Wx ****** User ID ******uhyh\abcdefg** Is User using privacy/inCognito mode : **false** User using tab with ID : **2ee981ea-3eb4-4982-bdbb-6ff0d4a4c242

Please help me with extracting:

  • user id =uhyh\abcdefg
  • session id = xZB1wEDYSWWEOxE3Hh9ke1GWnsRuEyZRY_PtogsnSU28-17Wx
  • browser = Mozilla/5.0

Please guide.

0 Karma
1 Solution

Vijeta
Influencer

@reverse - Use these for each field

| rex field=_raw "\*{0,10}Browser\s+information{0,20} - \*{0,20}(?<browser>.*) \(" | rex field=_raw "Session ID is \*{2} - (?<session>\S+)" | rex field=_raw "User ID \*{1,10}(?<user>\S+)\*{2}"

View solution in original post

0 Karma

niketn
Legend

@reverse try the rex from the following run anywhere example | rex "Browser\sinformation\s\-\s\*+(?<BrowserInfo>[^\s]+).*Session ID is \*+\s\-\s(?<SessionID>[^\*]+)\*+\sUser\sID\s\*+(?<UserID>[^\*]+)\*+"

| makeresults
| eval _raw=" 2019.06.26 13.18.18.186 ERROR presentation [WebContainer : 5]: **********Browser information - ***********Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko ** Session ID is ** - xZB1wEDYSWWEOxE3Hh9ke1GWnsRuEyZRY_PtogsnSU28-17Wx ****** User ID ******uhyh\abcdefg** Is User using privacy/inCognito mode : **false** User using tab with ID : **2ee981ea-3eb4-4982-bdbb-6ff0d4a4c242"
| table _time _raw
| rex "Browser\sinformation\s\-\s\*+(?<BrowserInfo>[^\s]+).*Session ID is \*+\s\-\s(?<SessionID>[^\*]+)\*+\sUser\sID\s\*+(?<UserID>[^\*]+)\*+"
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

Vijeta
Influencer

@reverse - Use these for each field

| rex field=_raw "\*{0,10}Browser\s+information{0,20} - \*{0,20}(?<browser>.*) \(" | rex field=_raw "Session ID is \*{2} - (?<session>\S+)" | rex field=_raw "User ID \*{1,10}(?<user>\S+)\*{2}"
0 Karma

reverse
Contributor

one minor update @Vijeta .. i added ? after * to make it not greedy to match (.. there were many ( in my logs ..
by putting ? it worked perfectly ..

0 Karma

reverse
Contributor

Amazing ..Thanks a ton!

0 Karma

reverse
Contributor

Please guide. @jnudell_2 @Vijeta

0 Karma
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

From Data to Insight: Announcing the Winners of the Splunk Dashboard Contest

Hi Splunkers, First off, thank you to everyone who participated in our very first From Data to Insight: The ...

Splunk Developers: Construct Your Future at the .conf26 Builder Bar

Calling all Splunk architects, platform admins, and app developers: the site is open, and the blueprints are ...

Quick connection discovery mode for forwarders

When a Splunk forwarder loses connectivity to its indexers, it does not always reconnect immediately. In many ...