Splunk Search

Regex help extracting session ID

reverse
Contributor

10.249.68.17 0000*aJyyyQvMs5xIb7KGdRxRTl98AhhUNq0lMLQ8RQ8szjFp4gtHI:1cq4afaa*7 12.119.53.11 - - [26/Jun/2019:13:06:37 -0400] "GET /xx/yy?REQUESTED_PAGE_ID=yy&REQUESTED_ACTION=xd&FWPOPUP=Y&displayMode=1&FLUSH_VARIABLE=YES&EDIT_FLAG=YES&CASE_NUM=6003378547&CASE_SEQ_NUM=6632579&ROW_COUNT=0&token=Random HTTP/1.1" 200 10855 dyrwasp026tw.ca.us:21152

10.247.68.23 0000*a0000eSP3bbdcJvjHUckwzlySRnx3t2V080oU-eoDEJlAqbIz0u2_Y:1cq4af5jb* 17.119.53.11 - - [26/Jun/2019:13:06:37 -0400] "GET /xx/yy?REQUESTED_PAGE_ID=yy&REQUESTED_ACTION=xd&FWPOPUP=Y&displayMode=1&FLUSH_VARIABLE=YES&EDIT_FLAG=YES&CASE_NUM=6003378547&CASE_SEQ_NUM=6632579&ROW_COUNT=0&token=Random HTTP/1.1" 200 10855 dyrwasp026tw.ca.us:21152

aJyyyQvMs5xIb7KGdRxRTl98AhhUNq0lMLQ8RQ8szjFp4gtHI:1cq4afaa7
a0000eSP3bbdcJvjHUckwzlySRnx3t2V080oU-eoDEJlAqbIz0u2_Y:1cq4af5jb

How do I extract the bold part session id always?
Please help.

0 Karma
1 Solution

jnudell_2
Builder

Hi @reverse
You can try this regex:

... [ your search stuff ] ...
| rex "^\S+\s+\d{4}\(?<session_id>[^\]+)\*"

Data without the asterisks (*):

... [ your search stuff ] ...
| rex "^\S+\s+\d{4}(?<session_id>[a-zA-Z0-9-_]+:[a-zA-Z0-9]+)\s"

If you know that the session id is ALWAYS preceded by four 0's, I would use this instead:

... [ your search stuff ] ...
| rex "^\S+\s+0000(?<session_id>[a-zA-Z0-9-_]+:[a-zA-Z0-9]+)\s"

View solution in original post

0 Karma

niketn
Legend

@reverse try the following rex command and confirm:

| rex "^[^\s]+\s(?<session_id>[^\s]+)\s"
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

reverse
Contributor

Thanks @niketnilay .. but did not work ..
Please see here
regexr.com/4ggc2

0 Karma

jnudell_2
Builder

Hi @reverse
You can try this regex:

... [ your search stuff ] ...
| rex "^\S+\s+\d{4}\(?<session_id>[^\]+)\*"

Data without the asterisks (*):

... [ your search stuff ] ...
| rex "^\S+\s+\d{4}(?<session_id>[a-zA-Z0-9-_]+:[a-zA-Z0-9]+)\s"

If you know that the session id is ALWAYS preceded by four 0's, I would use this instead:

... [ your search stuff ] ...
| rex "^\S+\s+0000(?<session_id>[a-zA-Z0-9-_]+:[a-zA-Z0-9]+)\s"

0 Karma

reverse
Contributor

@jnudell_2 it gave me blanks in splunk..

https://regex101.com/r/vzbrqU/1
0 Karma

reverse
Contributor

Thanks a ton Sir

0 Karma

reverse
Contributor

Worked like a Charm ...Many thanks again! @jnudell_2

0 Karma

reverse
Contributor
0 Karma

reverse
Contributor

@jnudell_2 I was trying to make it bold for highlighting purposes .. apologies for the confusion..
it appears that your answer is not updated..

0 Karma

jnudell_2
Builder

Your sample included asterisk symbols, and your regex sample does not. If there are no asterisk symbols you would use a different regex. I have updated the answer.

reverse
Contributor

@jnudell_2 Please guide.

@Vijeta Please guide.

0 Karma

Vijeta
Influencer

@reverse Try this

rex field=_raw  "\d{2}.\d{3}.\d{2}.\d{2} 0000\*(?<id>\S+)\*"
0 Karma

reverse
Contributor

hey @Vijeta thanks but no luck ..
Please see here
https://regex101.com/r/vzbrqU/3

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...