Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Trouble extracting GUIDS and how to make a new field with rex?

judges88
Explorer
‎11-16-2022 08:30 AM

Trying to get these UUID/GUIDs to extract from the message field. Hoping to create a rex to extract everything after 'fieldx: ' in the 8-4-4-4-12 character window separated by each , after that. Ive tried the "extract new fields " but there are well over 120 of these things and splunk doesnt like selecting all of that and filtering keeps throwing errors. And would rather not have to do this one by one. 

These are embedded in the message field as stated earlier. Id like to make a new field with the rex if possible and name it "fieldx"

Any and all help is welcome. 

"message: Filtered marking ids for DAC property 'fieldx': abc12345-b123-c456-d789-123abx789edc, de14fc5e-22av-87dd-65d9-7563a7pleqw3, "(<----there are about 120 more in a row of these)

Thanks in advance

 

 

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎11-16-2022 09:34 AM

The OP was pretty clear about "fieldx:" being an eye-catcher, but this command should work with or without it.

| rex max_match=0 "(?<fieldx>\w{8}-\w{4}-\w{4}-\w{4}-\w{12})"

 

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

johnhuang
Motivator
‎11-16-2022 09:47 AM

If you want to extract all guids after "fieldx":

 

| rex max_match=0 "(\'fieldx\':\s)?(?<fieldx_guids>\w{8}\-\w{4}-\w{4}-\w{4}-\w{12})(?:\,\s|\")"

 

 

If you want to extract all guids in the data:

 

 

| rex max_match=0 "(?<guids>\w{8}\-\w{4}-\w{4}-\w{4}-\w{12})"

 

 

Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎11-16-2022 08:41 AM

I hope you're not trying to validate the format of each GUID with regex because that is unnecessary.  Just extract everything after "fieldx':" as-is.  If you wish, you can split the extracted field on commas so each GUID is accessible using mvindex.

| rex "fieldx': (?<fieldx>.*)"
| eval fieldx=split(fieldx,", ")

 

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

judges88
Explorer
‎11-16-2022 09:25 AM

I would say im trying to validate the format. Just trying to take all the GUIDs ( they are all 8,4,4,4,12 ) and pull them out specifically into a new field called fieldX. I probably gave a poor description. What you gave me did work, but only if it specifies fieldX in the original message. Is there anyway to just pull out all numbers that match the 8-4-4-4-12 format into a new field?

 

Sorry i SUCK with rex type inputs. 

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎11-16-2022 09:34 AM

The OP was pretty clear about "fieldx:" being an eye-catcher, but this command should work with or without it.

| rex max_match=0 "(?<fieldx>\w{8}-\w{4}-\w{4}-\w{4}-\w{12})"

 

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

judges88
Explorer
‎11-16-2022 09:39 AM

Yeah this was my fault and im sorry, not trying to disrespect anyone. I posted this and found a few more logs that contain same GUIDS that dont have that fieldx as part of the message. Sorry about that. But this did work so thank you. Again SUPER new to ever trying REX dont understand 100% of it. 

Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...