10.249.68.17 0000*aJyyyQvMs5xIb7KGdRxRTl98AhhUNq0lMLQ8RQ8szjFp4gtHI:1cq4afaa*7 12.119.53.11 - - [26/Jun/2019:13:06:37 -0400] "GET /xx/yy?REQUESTED_PAGE_ID=yy&REQUESTED_ACTION=xd&FWPOPUP=Y&displayMode=1&FLUSH_VARIABLE=YES&EDIT_FLAG=YES&CASE_NUM=6003378547&CASE_SEQ_NUM=6632579&ROW_COUNT=0&token=Random HTTP/1.1" 200 10855 dyrwasp026tw.ca.us:21152
10.247.68.23 0000*a0000eSP3bbdcJvjHUckwzlySRnx3t2V080oU-eoDEJlAqbIz0u2_Y:1cq4af5jb* 17.119.53.11 - - [26/Jun/2019:13:06:37 -0400] "GET /xx/yy?REQUESTED_PAGE_ID=yy&REQUESTED_ACTION=xd&FWPOPUP=Y&displayMode=1&FLUSH_VARIABLE=YES&EDIT_FLAG=YES&CASE_NUM=6003378547&CASE_SEQ_NUM=6632579&ROW_COUNT=0&token=Random HTTP/1.1" 200 10855 dyrwasp026tw.ca.us:21152
aJyyyQvMs5xIb7KGdRxRTl98AhhUNq0lMLQ8RQ8szjFp4gtHI:1cq4afaa7
a0000eSP3bbdcJvjHUckwzlySRnx3t2V080oU-eoDEJlAqbIz0u2_Y:1cq4af5jb
How do I extract the bold part session id always?
Please help.
Hi @reverse
You can try this regex:
... [ your search stuff ] ...
| rex "^\S+\s+\d{4}\(?<session_id>[^\]+)\*"
Data without the asterisks (*):
... [ your search stuff ] ...
| rex "^\S+\s+\d{4}(?<session_id>[a-zA-Z0-9-_]+:[a-zA-Z0-9]+)\s"
If you know that the session id is ALWAYS preceded by four 0's, I would use this instead:
... [ your search stuff ] ...
| rex "^\S+\s+0000(?<session_id>[a-zA-Z0-9-_]+:[a-zA-Z0-9]+)\s"
@reverse try the following rex command and confirm:
| rex "^[^\s]+\s(?<session_id>[^\s]+)\s"
Thanks @niketnilay .. but did not work ..
Please see here
regexr.com/4ggc2
Hi @reverse
You can try this regex:
... [ your search stuff ] ...
| rex "^\S+\s+\d{4}\(?<session_id>[^\]+)\*"
Data without the asterisks (*):
... [ your search stuff ] ...
| rex "^\S+\s+\d{4}(?<session_id>[a-zA-Z0-9-_]+:[a-zA-Z0-9]+)\s"
If you know that the session id is ALWAYS preceded by four 0's, I would use this instead:
... [ your search stuff ] ...
| rex "^\S+\s+0000(?<session_id>[a-zA-Z0-9-_]+:[a-zA-Z0-9]+)\s"
@jnudell_2 it gave me blanks in splunk..
https://regex101.com/r/vzbrqU/1
Thanks a ton Sir
Worked like a Charm ...Many thanks again! @jnudell_2
@jnudell_2 I was trying to make it bold for highlighting purposes .. apologies for the confusion..
it appears that your answer is not updated..
Your sample included asterisk symbols, and your regex sample does not. If there are no asterisk symbols you would use a different regex. I have updated the answer.
@jnudell_2 Please guide.
@Vijeta Please guide.
@reverse Try this
rex field=_raw "\d{2}.\d{3}.\d{2}.\d{2} 0000\*(?<id>\S+)\*"
hey @Vijeta thanks but no luck ..
Please see here
https://regex101.com/r/vzbrqU/3