Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Rex and Regex Field Extraction

mistertj3
Engager
‎03-27-2013 10:44 AM

Hello all,

I am trying to extract fields (tried the dynamic extraction and manual using rex&regex) but am unable to get it just right. My data looks like the following:

Apr 30 00:48:25 "ip_address" Apr 30 2012 00:48:25: %ASA-4-113019: Group = "Group",
Username = "User", IP = "ip_address",
Session disconnected. Session Type: SSL, Duration: 1h:59m:24s, Bytes xmt: 86659734,
Bytes rcv: 4557700, Reason: User Requested

I would like to extract the Bytes xmt and Bytes rcv to separate fields (on search time). Then I would like pipe to an eval statement that adds them then another pipe to the timechart.

I have tried a lot of regex and rex combinations using this site regular expression reference as a ref . But I've only gotten as far as rex field=_raw "Bytes xmt: (?.,)" , which only gives the first decimal?

I am probably doing this entirely wrong as this is my first expression so any help you can give would be great!

Thank you,

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lain179
Communicator
‎03-27-2013 11:42 AM

How about


rex field=_raw ".*Bytes xmt: (?<bxmt>\d+), Bytes rcv: (?<brcv>\d+),.*"

View solution in original post

Reply
Solved! Jump to solution
Solution

lain179
Communicator
‎03-27-2013 11:42 AM

How about


rex field=_raw ".*Bytes xmt: (?<bxmt>\d+), Bytes rcv: (?<brcv>\d+),.*"

Reply
Solved! Jump to solution

mistertj3
Engager
‎03-30-2013 10:58 AM

Got it and now have a better understanding of rex&regex. Thank you for all of your help and prompt responses!

0 Karma
Reply
Solved! Jump to solution

sowings
Splunk Employee
Splunk Employee
‎03-27-2013 01:25 PM

Edited to show the backslashes.

Reply
Solved! Jump to solution

cphair
Builder
‎03-27-2013 12:39 PM

There should be backslashes in front of the d+ characters. The comment forum doesn't always post them properly.

0 Karma
Reply
Solved! Jump to solution

mistertj3
Engager
‎03-27-2013 12:15 PM

Thank you for your prompt response. I've copied and pasted what you've wrote, but the extracted fields bxmt and brcv do not show up under the selected fields nor interesting fields, so seemingly they have not been extracted. Is there something I'm missing or do I just pipe the additional statements (eval and timechart)?

0 Karma
Reply
Get Updates on the Splunk Community!

Celebrating Fast Lane: 2025 Authorized Learning Partner of the Year

At .conf25, Splunk proudly recognized Fast Lane as the 2025 Authorized Learning Partner of the Year. This ...

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...