Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Rex command to extract multiple values from base q...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have below text and i need to extract "Successfully Sent" FTP Ipaddress and store number. I could extract first portion post which it is not working.
index="biztalk_idx" sourcetype="biztalk"|dedup Description|table Description|rex field=Description "(?<ExecutionStart>.* starting to execute)"|rex field=Description "(?<SendSales>Sending sales.*)"|rex field=Description "(?<SuccessSent>SUCCESSFULLY sent\s\w+)"
"Message SUCCESSFULLY sent to FTP ftp://10.23.18.8:21/Foljesedel_171026152046_135060.xml for store: S135060."
Also for extracting different fields from different values, do we have to add rex command each time or is there any other better way?
Can someone please help. Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@k_harini, based on the sample data provided, please try the following to use rex to extract ftp_address and store_no fields.
| rex field=Description "Message SUCCESSFULLY sent to FTP (?<ftp_address>ftp:\/\/[^\/]+)\/.*\sfor\sstore:\s(?<store_no>[^\.]+)\."
Please use regex101.com for testing regular expression with your sample data. Following is run anywhere search based on your sample data:
| makeresults
| eval Description="Message SUCCESSFULLY sent to FTP ftp://10.23.18.8:21/Foljesedel_171026152046_135060.xml for store: S135060."
| rex field=Description "Message SUCCESSFULLY sent to FTP (?<ftp_address>ftp:\/\/[^\/]+)\/.*\sfor\sstore:\s(?<store_no>[^\.]+)\."
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@k_harini, based on the sample data provided, please try the following to use rex to extract ftp_address and store_no fields.
| rex field=Description "Message SUCCESSFULLY sent to FTP (?<ftp_address>ftp:\/\/[^\/]+)\/.*\sfor\sstore:\s(?<store_no>[^\.]+)\."
Please use regex101.com for testing regular expression with your sample data. Following is run anywhere search based on your sample data:
| makeresults
| eval Description="Message SUCCESSFULLY sent to FTP ftp://10.23.18.8:21/Foljesedel_171026152046_135060.xml for store: S135060."
| rex field=Description "Message SUCCESSFULLY sent to FTP (?<ftp_address>ftp:\/\/[^\/]+)\/.*\sfor\sstore:\s(?<store_no>[^\.]+)\."
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for your help
Take Action Automatically on Splunk Alerts with Red Hat Ansible Automation Platform
Calling All Security Pros: Ready to Race Through Boston?
Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...
