Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Rex need help

smarechal
Explorer
‎01-25-2012 04:44 AM

Hello,

I need to keep data in bold on this message:

Message=Client IP [193.50.00.00:45780] with username [p.watson@domain.fr] connected successfully to server [10.1.10.160:2598], resource [Outlook 2007] using protocol [ICA].

Is someone could help me with rex, i don't know regex at all.

Thanks a lot!!

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

dwaddle
SplunkTrust
SplunkTrust
‎01-25-2012 05:46 AM

I might suggest reading up on regular expressions - they are kinda critical for what Splunk does. But, to get you started...

| rex "Client IP \[(?<clientip>[^]]+)\] with username \[(?<username>)[^]]+)\] connected successfully to server \[(?<server>[^]]+)\], resource \[(?<resource>[^]]+)\]"

Here's how this is supposed to work. Within regex, [ and ] denote a set of characters. So, [aeiou] will match a single vowel -- a, or e, or i, or o, or u. Putting a ^ as the first character of the set says "match anything not in this set". The + means "one or more of these", and we escape (backslash) the [ and ] when we mean them literally. So, \[(?<clientip>[^]]+)\] means something like "an open square bracket, followed by one or more of anything that is not a closed square bracket, followed by a closed square bracket." The wrapping of (?<clientip> .... ) says to assign the field name clientip to what's inside the parentheses.

Now, go read http://www.regular-expressions.info/ and get up to speed 🙂

View solution in original post

Reply
Solved! Jump to solution

smarechal
Explorer
‎01-25-2012 06:27 AM

Thank you a lot for your exemple! 🙂

0 Karma
Reply
Solved! Jump to solution

dwaddle
SplunkTrust
SplunkTrust
‎01-25-2012 06:30 AM

you're welcome. If you don't mind, please accept the answer by clicking the little check mark to the left of it

0 Karma
Reply
Solved! Jump to solution
Solution

dwaddle
SplunkTrust
SplunkTrust
‎01-25-2012 05:46 AM

I might suggest reading up on regular expressions - they are kinda critical for what Splunk does. But, to get you started...

| rex "Client IP \[(?<clientip>[^]]+)\] with username \[(?<username>)[^]]+)\] connected successfully to server \[(?<server>[^]]+)\], resource \[(?<resource>[^]]+)\]"

Here's how this is supposed to work. Within regex, [ and ] denote a set of characters. So, [aeiou] will match a single vowel -- a, or e, or i, or o, or u. Putting a ^ as the first character of the set says "match anything not in this set". The + means "one or more of these", and we escape (backslash) the [ and ] when we mean them literally. So, \[(?<clientip>[^]]+)\] means something like "an open square bracket, followed by one or more of anything that is not a closed square bracket, followed by a closed square bracket." The wrapping of (?<clientip> .... ) says to assign the field name clientip to what's inside the parentheses.

Now, go read http://www.regular-expressions.info/ and get up to speed 🙂

Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...