Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why is my rex command extracting other text strings

jhilton90
Path Finder
‎11-07-2022 04:10 AM

I am using the following rex command to extract an id number, which is in the following format: 1e4gd5g7-4fy6-fg567-3d46-3gth63f57h35. I am also using the rex command to extract email addresses. However, it seems to extract the wrong information, let me show you:

index=keycloak "MFA"
| regex _raw="MFA challenge failed"
| rex "(?i) is (?P<keycloak_id>[^\"]+)"
| rex "(?i) is (?P<email_address>.+?)\.\s+"
| table Account_ID, email_address, keycloak_id, _time

However, this is the output that I get:

Account_IDemail_addresskeycloak_id_time
aaaaaaa'OTP is invalid''OTP is invalid'. Keycloak session id is 1e4gd5g7-4fy6-fg567-3d46-3gth63f57h352022-11-07 09:56:17.00

 

I'm really struggling to properly extract the right information that I'm looking for.

Any help would be greatly appreciated

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎11-07-2022 05:59 AM

Hi @jhilton90,

please try this 

| rex "account\s+(?<account>\w+)\s+with\s+email\s+(?<email>[^ ]+)"

that you can test at https://regex101.com/r/6zSc2W/1

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎11-07-2022 04:49 AM

You have a flimsy anchor - for example, " is " occurs multiple times in your event. You need to provide more context to the anchor so the right place can be found in your events.

0 Karma
Reply
Solved! Jump to solution

jhilton90
Path Finder
‎11-07-2022 05:38 AM

The keycloak_id and email_address are in the same field. Basically the field goes like this:

message: MFA challenge succeeded for account aaaaaa with email example@example.com. Keycloak session id is 44t4tegr-44fg-4444-4444-444444444444

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎11-07-2022 06:08 AM

Try something like this

index=keycloak "MFA"
| regex _raw="MFA challenge failed"
| rex "(?i) account (?P<Account_ID>\S+)\s"
| rex "(?i) session id is (?P<keycloak_id>\S+)"
| rex "(?i) email (?P<email_address>\S+)\.\s+"
| table Account_ID, email_address, keycloak_id, _time
0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎11-07-2022 04:44 AM

Hi @jhilton90,

could you share some sample of your data?

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

jhilton90
Path Finder
‎11-07-2022 05:47 AM

The keycloak_id and email_address are in the same field. Basically the field goes like this:

message: MFA challenge succeeded for account aaaaaa with email example@example.com. Keycloak session id is 44t4tegr-44fg-4444-4444-444444444444

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎11-07-2022 05:59 AM

Hi @jhilton90,

please try this 

| rex "account\s+(?<account>\w+)\s+with\s+email\s+(?<email>[^ ]+)"

that you can test at https://regex101.com/r/6zSc2W/1

Ciao.

Giuseppe

Reply
Solved! Jump to solution

jhilton90
Path Finder
‎11-07-2022 06:15 AM

Let me give it a go! Great resource by the way, thank you

0 Karma
Reply
Get Updates on the Splunk Community!

What the End of Support for Splunk Add-on Builder Means for You

Hello Splunk Community! We want to share an important update regarding the future of the Splunk Add-on Builder ...

Solve, Learn, Repeat: New Puzzle Channel Now Live

Welcome to the Splunk Puzzle PlaygroundIf you are anything like me, you love to solve problems, and what ...

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...