Splunk Search

Regex help extracting session ID

reverse
Contributor

10.249.68.17 0000*aJyyyQvMs5xIb7KGdRxRTl98AhhUNq0lMLQ8RQ8szjFp4gtHI:1cq4afaa*7 12.119.53.11 - - [26/Jun/2019:13:06:37 -0400] "GET /xx/yy?REQUESTED_PAGE_ID=yy&REQUESTED_ACTION=xd&FWPOPUP=Y&displayMode=1&FLUSH_VARIABLE=YES&EDIT_FLAG=YES&CASE_NUM=6003378547&CASE_SEQ_NUM=6632579&ROW_COUNT=0&token=Random HTTP/1.1" 200 10855 dyrwasp026tw.ca.us:21152

10.247.68.23 0000*a0000eSP3bbdcJvjHUckwzlySRnx3t2V080oU-eoDEJlAqbIz0u2_Y:1cq4af5jb* 17.119.53.11 - - [26/Jun/2019:13:06:37 -0400] "GET /xx/yy?REQUESTED_PAGE_ID=yy&REQUESTED_ACTION=xd&FWPOPUP=Y&displayMode=1&FLUSH_VARIABLE=YES&EDIT_FLAG=YES&CASE_NUM=6003378547&CASE_SEQ_NUM=6632579&ROW_COUNT=0&token=Random HTTP/1.1" 200 10855 dyrwasp026tw.ca.us:21152

aJyyyQvMs5xIb7KGdRxRTl98AhhUNq0lMLQ8RQ8szjFp4gtHI:1cq4afaa7
a0000eSP3bbdcJvjHUckwzlySRnx3t2V080oU-eoDEJlAqbIz0u2_Y:1cq4af5jb

How do I extract the bold part session id always?
Please help.

0 Karma
1 Solution

jnudell_2
Builder

Hi @reverse
You can try this regex:

... [ your search stuff ] ...
| rex "^\S+\s+\d{4}\(?<session_id>[^\]+)\*"

Data without the asterisks (*):

... [ your search stuff ] ...
| rex "^\S+\s+\d{4}(?<session_id>[a-zA-Z0-9-_]+:[a-zA-Z0-9]+)\s"

If you know that the session id is ALWAYS preceded by four 0's, I would use this instead:

... [ your search stuff ] ...
| rex "^\S+\s+0000(?<session_id>[a-zA-Z0-9-_]+:[a-zA-Z0-9]+)\s"

View solution in original post

0 Karma

niketn
Legend

@reverse try the following rex command and confirm:

| rex "^[^\s]+\s(?<session_id>[^\s]+)\s"
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

reverse
Contributor

Thanks @niketnilay .. but did not work ..
Please see here
regexr.com/4ggc2

0 Karma

jnudell_2
Builder

Hi @reverse
You can try this regex:

... [ your search stuff ] ...
| rex "^\S+\s+\d{4}\(?<session_id>[^\]+)\*"

Data without the asterisks (*):

... [ your search stuff ] ...
| rex "^\S+\s+\d{4}(?<session_id>[a-zA-Z0-9-_]+:[a-zA-Z0-9]+)\s"

If you know that the session id is ALWAYS preceded by four 0's, I would use this instead:

... [ your search stuff ] ...
| rex "^\S+\s+0000(?<session_id>[a-zA-Z0-9-_]+:[a-zA-Z0-9]+)\s"

0 Karma

reverse
Contributor

@jnudell_2 it gave me blanks in splunk..

https://regex101.com/r/vzbrqU/1
0 Karma

reverse
Contributor

Thanks a ton Sir

0 Karma

reverse
Contributor

Worked like a Charm ...Many thanks again! @jnudell_2

0 Karma

reverse
Contributor
0 Karma

reverse
Contributor

@jnudell_2 I was trying to make it bold for highlighting purposes .. apologies for the confusion..
it appears that your answer is not updated..

0 Karma

jnudell_2
Builder

Your sample included asterisk symbols, and your regex sample does not. If there are no asterisk symbols you would use a different regex. I have updated the answer.

reverse
Contributor

@jnudell_2 Please guide.

@Vijeta Please guide.

0 Karma

Vijeta
Influencer

@reverse Try this

rex field=_raw  "\d{2}.\d{3}.\d{2}.\d{2} 0000\*(?<id>\S+)\*"
0 Karma

reverse
Contributor

hey @Vijeta thanks but no luck ..
Please see here
https://regex101.com/r/vzbrqU/3

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...