Splunk Search

Regex help extracting session ID

reverse
Contributor

10.249.68.17 0000*aJyyyQvMs5xIb7KGdRxRTl98AhhUNq0lMLQ8RQ8szjFp4gtHI:1cq4afaa*7 12.119.53.11 - - [26/Jun/2019:13:06:37 -0400] "GET /xx/yy?REQUESTED_PAGE_ID=yy&REQUESTED_ACTION=xd&FWPOPUP=Y&displayMode=1&FLUSH_VARIABLE=YES&EDIT_FLAG=YES&CASE_NUM=6003378547&CASE_SEQ_NUM=6632579&ROW_COUNT=0&token=Random HTTP/1.1" 200 10855 dyrwasp026tw.ca.us:21152

10.247.68.23 0000*a0000eSP3bbdcJvjHUckwzlySRnx3t2V080oU-eoDEJlAqbIz0u2_Y:1cq4af5jb* 17.119.53.11 - - [26/Jun/2019:13:06:37 -0400] "GET /xx/yy?REQUESTED_PAGE_ID=yy&REQUESTED_ACTION=xd&FWPOPUP=Y&displayMode=1&FLUSH_VARIABLE=YES&EDIT_FLAG=YES&CASE_NUM=6003378547&CASE_SEQ_NUM=6632579&ROW_COUNT=0&token=Random HTTP/1.1" 200 10855 dyrwasp026tw.ca.us:21152

aJyyyQvMs5xIb7KGdRxRTl98AhhUNq0lMLQ8RQ8szjFp4gtHI:1cq4afaa7
a0000eSP3bbdcJvjHUckwzlySRnx3t2V080oU-eoDEJlAqbIz0u2_Y:1cq4af5jb

How do I extract the bold part session id always?
Please help.

0 Karma
1 Solution

jnudell_2
Builder

Hi @reverse
You can try this regex:

... [ your search stuff ] ...
| rex "^\S+\s+\d{4}\(?<session_id>[^\]+)\*"

Data without the asterisks (*):

... [ your search stuff ] ...
| rex "^\S+\s+\d{4}(?<session_id>[a-zA-Z0-9-_]+:[a-zA-Z0-9]+)\s"

If you know that the session id is ALWAYS preceded by four 0's, I would use this instead:

... [ your search stuff ] ...
| rex "^\S+\s+0000(?<session_id>[a-zA-Z0-9-_]+:[a-zA-Z0-9]+)\s"

View solution in original post

0 Karma

niketnilay
Legend

@reverse try the following rex command and confirm:

| rex "^[^\s]+\s(?<session_id>[^\s]+)\s"
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

reverse
Contributor

Thanks @niketnilay .. but did not work ..
Please see here
regexr.com/4ggc2

0 Karma

jnudell_2
Builder

Hi @reverse
You can try this regex:

... [ your search stuff ] ...
| rex "^\S+\s+\d{4}\(?<session_id>[^\]+)\*"

Data without the asterisks (*):

... [ your search stuff ] ...
| rex "^\S+\s+\d{4}(?<session_id>[a-zA-Z0-9-_]+:[a-zA-Z0-9]+)\s"

If you know that the session id is ALWAYS preceded by four 0's, I would use this instead:

... [ your search stuff ] ...
| rex "^\S+\s+0000(?<session_id>[a-zA-Z0-9-_]+:[a-zA-Z0-9]+)\s"

0 Karma

reverse
Contributor

@jnudell_2 it gave me blanks in splunk..

https://regex101.com/r/vzbrqU/1
0 Karma

reverse
Contributor

Thanks a ton Sir

0 Karma

reverse
Contributor

Worked like a Charm ...Many thanks again! @jnudell_2

0 Karma

reverse
Contributor
0 Karma

reverse
Contributor

@jnudell_2 I was trying to make it bold for highlighting purposes .. apologies for the confusion..
it appears that your answer is not updated..

0 Karma

jnudell_2
Builder

Your sample included asterisk symbols, and your regex sample does not. If there are no asterisk symbols you would use a different regex. I have updated the answer.

reverse
Contributor

@jnudell_2 Please guide.

@Vijeta Please guide.

0 Karma

Vijeta
Influencer

@reverse Try this

rex field=_raw  "\d{2}.\d{3}.\d{2}.\d{2} 0000\*(?<id>\S+)\*"
0 Karma

reverse
Contributor

hey @Vijeta thanks but no luck ..
Please see here
https://regex101.com/r/vzbrqU/3

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...