Splunk Search

What is the proper regex syntax to use rex to create 4 new fields?

akelly4
Path Finder

I have a log line that looks like the following:

2014-11-28 19:28:42 smx02 postfix/smtp[57736]: 6F7471C73AC_479133AF: to=, relay=127.0.0.1[127.0.0.1]:10025, delay=0.13, delays=0.01/0/0/0.12, dsn=2.0.0, status=sent (250 OK, sent 5479133A_6994_12793_1 8E560172844_479133AB)

I want to use regex to create 4 new fields.

Field1 - 6F7471C73AC_479133AF (number/letter combinations)
Field2 - 5479133A_6994_12793_1 (number/letter combinations)
Field3 - 8E560172844_479133AB (number/letter combinations)
Field 4 - 57736 (Always number)

I know I can use the rex field=FIELDNAME command, but I can't seem to get the syntax to work.

Is there anyone that can point me in the right direction or give me some times on how to create these fields. I really just want to understand the Splunk syntax.

Tags (4)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

For problems like this, RegExr is a great tool. Using it and your sample event, I came up with this.

rex "\[(?<Field4>\d+)]:\s+(?<Field1>\S+):[\s\S]+?, sent (?<Field2>\S+) (?<Field3>\S+)"
---
If this reply helps you, Karma would be appreciated.

View solution in original post

abhay1991
New Member

/apps/IHSLogs/com-ihs85-pd01-01/IRXWebCommon/access_log_2018-11-16

how to extract this field

0 Karma

ppablo
Retired

Also, here's a previous Answers posts with a collection of users' favorite resources for regex help 🙂

http://answers.splunk.com/answers/153171/is-there-any-online-regex-tool-to-create-regular-e.html

0 Karma

richgalloway
SplunkTrust
SplunkTrust

For problems like this, RegExr is a great tool. Using it and your sample event, I came up with this.

rex "\[(?<Field4>\d+)]:\s+(?<Field1>\S+):[\s\S]+?, sent (?<Field2>\S+) (?<Field3>\S+)"
---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...