Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Rex need help

smarechal
Explorer
‎01-25-2012 04:44 AM

Hello,

I need to keep data in bold on this message:

Message=Client IP [193.50.00.00:45780] with username [p.watson@domain.fr] connected successfully to server [10.1.10.160:2598], resource [Outlook 2007] using protocol [ICA].

Is someone could help me with rex, i don't know regex at all.

Thanks a lot!!

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

dwaddle
SplunkTrust
SplunkTrust
‎01-25-2012 05:46 AM

I might suggest reading up on regular expressions - they are kinda critical for what Splunk does. But, to get you started...

| rex "Client IP \[(?<clientip>[^]]+)\] with username \[(?<username>)[^]]+)\] connected successfully to server \[(?<server>[^]]+)\], resource \[(?<resource>[^]]+)\]"

Here's how this is supposed to work. Within regex, [ and ] denote a set of characters. So, [aeiou] will match a single vowel -- a, or e, or i, or o, or u. Putting a ^ as the first character of the set says "match anything not in this set". The + means "one or more of these", and we escape (backslash) the [ and ] when we mean them literally. So, \[(?<clientip>[^]]+)\] means something like "an open square bracket, followed by one or more of anything that is not a closed square bracket, followed by a closed square bracket." The wrapping of (?<clientip> .... ) says to assign the field name clientip to what's inside the parentheses.

Now, go read http://www.regular-expressions.info/ and get up to speed 🙂

View solution in original post

Reply
Solved! Jump to solution

smarechal
Explorer
‎01-25-2012 06:27 AM

Thank you a lot for your exemple! 🙂

0 Karma
Reply
Solved! Jump to solution

dwaddle
SplunkTrust
SplunkTrust
‎01-25-2012 06:30 AM

you're welcome. If you don't mind, please accept the answer by clicking the little check mark to the left of it

0 Karma
Reply
Solved! Jump to solution
Solution

dwaddle
SplunkTrust
SplunkTrust
‎01-25-2012 05:46 AM

I might suggest reading up on regular expressions - they are kinda critical for what Splunk does. But, to get you started...

| rex "Client IP \[(?<clientip>[^]]+)\] with username \[(?<username>)[^]]+)\] connected successfully to server \[(?<server>[^]]+)\], resource \[(?<resource>[^]]+)\]"

Here's how this is supposed to work. Within regex, [ and ] denote a set of characters. So, [aeiou] will match a single vowel -- a, or e, or i, or o, or u. Putting a ^ as the first character of the set says "match anything not in this set". The + means "one or more of these", and we escape (backslash) the [ and ] when we mean them literally. So, \[(?<clientip>[^]]+)\] means something like "an open square bracket, followed by one or more of anything that is not a closed square bracket, followed by a closed square bracket." The wrapping of (?<clientip> .... ) says to assign the field name clientip to what's inside the parentheses.

Now, go read http://www.regular-expressions.info/ and get up to speed 🙂

Reply
Get Updates on the Splunk Community!

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...