Solved: Using regex to extract data

jialiu907 · ‎02-19-2025

I am looking to extract this section of an event and have it as a field that I am able to manipulate with. I am unfamiliar with regex and I am getting the wrong results.

Events

<28>1 2025-02-19T15:14:00.968210+00:00 aleoweul0169x falcon-sensor-bpf 1152 - - CrowdStrike(4): SSLSocket Disconnected from Cloud.
<30>1 2025-02-19T15:14:16.104202+00:00 aleoweul0169x falcon-sensor-bpf 1152 - - CrowdStrike(4): SSLSocket connected successfully to ts01-lanner-lion.cloudsink.net:443

I am looking to have a field called Disconnect based on "SSLSocket Disconnected from Cloud"

livehybrid · ‎02-19-2025

Hi @jialiu907

Have a look at the below, I've suggested 2 ways you can determine your Disconnect field based on that value, is this what you're after?

| makeresults 
|  eval _raw="<28>1 2025-02-19T15:14:00.968210+00:00 aleoweul0169x falcon-sensor-bpf 1152 - - CrowdStrike(4): SSLSocket Disconnected from Cloud."
| rex "\)\:\s(?<Disconnect>SSLSocket Disconnected from Cloud)"
| eval Disconnect2=IF(searchmatch("SSLSocket Disconnected from Cloud"),1,0)

Please let me know how you get on and consider accepting this answer or adding karma this answer if it has helped.
Regards

Will

View solution in original post

kiran_panchavat · ‎02-19-2025

@jialiu907

Check this

Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!

jialiu907 · ‎02-19-2025

Yes it worked perfectly thank you. Are you able to explain the syntax of the rex if possible?

livehybrid · ‎02-19-2025

Sure @jialiu907

Just to mention, by default rex works on the _raw field, however you can specify field=<fieldName> to run it against a different field.

Breakdown of the rex (regular expression):

\)\:
- Matches a literal ) followed by a :.
- The backslash (\) escapes the closing parenthesis ) since it's a special character in regex.
\s
- Matches a single whitespace character (space, tab, or newline).
(?<Disconnect>SSLSocket Disconnected from Cloud)
- This is a named capturing group called Disconnect which means it creates your new Splunk field called "Disconnect".
- It captures the exact phrase "SSLSocket Disconnected from Cloud". - If there is no exact match (Case-Sensitive) then it will not match!
- The (?<name>pattern) syntax is used to name the capturing group and extract the field.

Please let me know how you get on and consider accepting this answer or adding karma this answer if it has helped.
Regards

Will

livehybrid · ‎02-19-2025

Hi @jialiu907

Have a look at the below, I've suggested 2 ways you can determine your Disconnect field based on that value, is this what you're after?

| makeresults 
|  eval _raw="<28>1 2025-02-19T15:14:00.968210+00:00 aleoweul0169x falcon-sensor-bpf 1152 - - CrowdStrike(4): SSLSocket Disconnected from Cloud."
| rex "\)\:\s(?<Disconnect>SSLSocket Disconnected from Cloud)"
| eval Disconnect2=IF(searchmatch("SSLSocket Disconnected from Cloud"),1,0)

Please let me know how you get on and consider accepting this answer or adding karma this answer if it has helped.
Regards

Will

Using regex to extract data

field extraction

fields

regex

rex

Breakdown of the rex (regular expression):

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

It’s go time — Boston, here we come!

Performance Tuning the Platform, SPL2 Templates, and More New Articles on Splunk ...

Are you a member of the Splunk Community?

Using regex to extract data

field extraction

fields

regex

rex

Breakdown of the rex (regular expression):

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

It’s go time — Boston, here we come!

Performance Tuning the Platform, SPL2 Templates, and More New Articles on Splunk ...