Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Rex help

smineo
Engager
‎07-09-2024 04:42 PM

Hi, I have a search result with the field message.log, and the field contains this example pattern

 

/opt/out/instance/log/audit.log 2023-06-04 21:32:59,422| tid:c-NMqD-hKsPm_AEzEJQyGx4O1kY| SSO| 8e4567c0-9f3a-25a1-a22d-e6b3744559a52| 123.45.678.123 | | this-value-here| SAML20| node1-1.nodeynode.things.svc.cluster.local| IdP| success| yadayadaAdapter| | 285

I'd like to rex "this-value-here" which is always preceded by the pattern pipe-space-pipe-space and always followed by pipe-space-SAML20.

Having trouble with the rex expression, appreciate the assistance.

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎07-09-2024 05:18 PM

I quick test in regex101.com produced this regular expression.

\| \|(?<value>[^\|]+)\| SAML20
---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

inventsekar
SplunkTrust
SplunkTrust
‎07-09-2024 05:57 PM

Hi @smineo .. Rich's rex working perfectly..  

| makeresults |eval log="/opt/out/instance/log/audit.log 2023-06-04 21:32:59,422| tid:c-NMqD-hKsPm_AEzEJQyGx4O1kY| SSO| 8e4567c0-9f3a-25a1-a22d-e6b3744559a52| 123.45.678.123 | | this-value-here| SAML20| node1-1.nodeynode.things.svc.cluster.local| IdP| success| yadayadaAdapter| | 285" 
| rex field=log "\| \|(?<value>[^\|]+)" |table log value

rex10thjuly.jpg

 

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎07-09-2024 05:18 PM

I quick test in regex101.com produced this regular expression.

\| \|(?<value>[^\|]+)\| SAML20
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

smineo
Engager
‎07-09-2024 07:32 PM

Great, thanks. Could you tell me what you did there to get that?

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎07-10-2024 05:29 AM

It's simple, really, since we know what precedes and follows the desired field.  Just put the known text into the regular expression and add a named capture group between them.  The pattern for the capture group can be either a non-greedy match of anything (.*?) or match anything that is not what follows the field ([^\|]+).

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...