Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Rex need help

smarechal
Explorer
‎01-25-2012 04:44 AM

Hello,

I need to keep data in bold on this message:

Message=Client IP [193.50.00.00:45780] with username [p.watson@domain.fr] connected successfully to server [10.1.10.160:2598], resource [Outlook 2007] using protocol [ICA].

Is someone could help me with rex, i don't know regex at all.

Thanks a lot!!

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

dwaddle
SplunkTrust
SplunkTrust
‎01-25-2012 05:46 AM

I might suggest reading up on regular expressions - they are kinda critical for what Splunk does. But, to get you started...

| rex "Client IP \[(?<clientip>[^]]+)\] with username \[(?<username>)[^]]+)\] connected successfully to server \[(?<server>[^]]+)\], resource \[(?<resource>[^]]+)\]"

Here's how this is supposed to work. Within regex, [ and ] denote a set of characters. So, [aeiou] will match a single vowel -- a, or e, or i, or o, or u. Putting a ^ as the first character of the set says "match anything not in this set". The + means "one or more of these", and we escape (backslash) the [ and ] when we mean them literally. So, \[(?<clientip>[^]]+)\] means something like "an open square bracket, followed by one or more of anything that is not a closed square bracket, followed by a closed square bracket." The wrapping of (?<clientip> .... ) says to assign the field name clientip to what's inside the parentheses.

Now, go read http://www.regular-expressions.info/ and get up to speed 🙂

View solution in original post

Reply
Solved! Jump to solution

smarechal
Explorer
‎01-25-2012 06:27 AM

Thank you a lot for your exemple! 🙂

0 Karma
Reply
Solved! Jump to solution

dwaddle
SplunkTrust
SplunkTrust
‎01-25-2012 06:30 AM

you're welcome. If you don't mind, please accept the answer by clicking the little check mark to the left of it

0 Karma
Reply
Solved! Jump to solution
Solution

dwaddle
SplunkTrust
SplunkTrust
‎01-25-2012 05:46 AM

I might suggest reading up on regular expressions - they are kinda critical for what Splunk does. But, to get you started...

| rex "Client IP \[(?<clientip>[^]]+)\] with username \[(?<username>)[^]]+)\] connected successfully to server \[(?<server>[^]]+)\], resource \[(?<resource>[^]]+)\]"

Here's how this is supposed to work. Within regex, [ and ] denote a set of characters. So, [aeiou] will match a single vowel -- a, or e, or i, or o, or u. Putting a ^ as the first character of the set says "match anything not in this set". The + means "one or more of these", and we escape (backslash) the [ and ] when we mean them literally. So, \[(?<clientip>[^]]+)\] means something like "an open square bracket, followed by one or more of anything that is not a closed square bracket, followed by a closed square bracket." The wrapping of (?<clientip> .... ) says to assign the field name clientip to what's inside the parentheses.

Now, go read http://www.regular-expressions.info/ and get up to speed 🙂

Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...