So I'm trying to extract a field called "secureToken=tokenvalue" from our akamai logs. However when I try to extract the field, it gives me the following error message:
The extraction failed. If you are extracting multiple fields, try removing one or more fields. Start with extractions that are embedded within longer text strings.
I have attempted to manually edit the regex, but I have not a lot of experience with regex so any help would be greatly appreciated
Thanks
Okay great!
However, I want to extract the "secureToken" bit from the following:
Set-Cookie: secureToken=11111112222233333445; Path=/; Secure; HttpOnly
So I can add add it into the interesting fields section when searching in splunk
I really don't understand you? I just gave you the answer on a silver platter wrapped in a gold bow tie....
Do you actually understand my answer or are you trolling me?
The following spl command will extract the secureToken value and create a field called secureToken.
| rex "secureToken=(?<secureToken>\d+)"
If you still don't understand I suggest you take the splunk course: https://www.splunk.com/en_us/training/courses/using-fields.html
I get it now don't worry, I was just a bit slow that is all!
Thank you for your help
Connection: close
Set-Cookie: secureToken=11111112222233333445; Path=/; Secure; HttpOnly
Server-Timing: cdn-cache; desc=MISS
Server-Timing: edge; dur=164
Server-Timing: origin; dur=158
Strict-Transport-Security: max-age=15768000
This works as a basic example:
| makeresults | eval _raw="Connection: close
Set-Cookie: secureToken=11111112222233333445; Path=/; Secure; HttpOnly
Server-Timing: cdn-cache; desc=MISS
Server-Timing: edge; dur=164
Server-Timing: origin; dur=158
Strict-Transport-Security: max-age=15768000"
| rex "secureToken=(?<secureToken>\d+)"
Hi thanks for the reply!
I just want to extract the secureToken field though.
Thanks
To make it more clear how a regular expression field extractions works:
The rex syntax:
rex field=<field> <PCRE named capture group>
The PCRE named capture group works the following way:
(?<name>regex)
The above expression captures the text matched by regex into the group name.
If you don’t specify the field name, rex applies to _raw (which is the entire event).
Another example to make it more clear:
My example event is:
Thu Jan 16 2018 00:15:06 mailsv1 sshd[5258]: Failed password for invalid user borisjohnson from 194.8.74.23 port 3626 ssh2
I want to extract the username from this:
I do that with:
index=test sourcetype=demo_events
| rex user\s(?<username>\w+)\s
This will create the field name username with the extracted value of borisjohnson
From regex101:
I did exactly that in my reply with the part:
| rex "secureToken=(?<secureToken>\d+)"
Please provide a couple of sample events.