Splunk Search

Why is my rex command extracting other text strings

jhilton90
Path Finder

I am using the following rex command to extract an id number, which is in the following format: 1e4gd5g7-4fy6-fg567-3d46-3gth63f57h35. I am also using the rex command to extract email addresses. However, it seems to extract the wrong information, let me show you:

index=keycloak "MFA"
| regex _raw="MFA challenge failed"
| rex "(?i) is (?P<keycloak_id>[^\"]+)"
| rex "(?i) is (?P<email_address>.+?)\.\s+"
| table Account_ID, email_address, keycloak_id, _time

However, this is the output that I get:

Account_IDemail_addresskeycloak_id_time
aaaaaaa'OTP is invalid''OTP is invalid'. Keycloak session id is 1e4gd5g7-4fy6-fg567-3d46-3gth63f57h352022-11-07 09:56:17.00

 

I'm really struggling to properly extract the right information that I'm looking for.

Any help would be greatly appreciated

Labels (3)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @jhilton90,

please try this 

| rex "account\s+(?<account>\w+)\s+with\s+email\s+(?<email>[^ ]+)"

that you can test at https://regex101.com/r/6zSc2W/1

Ciao.

Giuseppe

View solution in original post

ITWhisperer
SplunkTrust
SplunkTrust

You have a flimsy anchor - for example, " is " occurs multiple times in your event. You need to provide more context to the anchor so the right place can be found in your events.

0 Karma

jhilton90
Path Finder

The keycloak_id and email_address are in the same field. Basically the field goes like this:

message: MFA challenge succeeded for account aaaaaa with email example@example.com. Keycloak session id is 44t4tegr-44fg-4444-4444-444444444444

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Try something like this

index=keycloak "MFA"
| regex _raw="MFA challenge failed"
| rex "(?i) account (?P<Account_ID>\S+)\s"
| rex "(?i) session id is (?P<keycloak_id>\S+)"
| rex "(?i) email (?P<email_address>\S+)\.\s+"
| table Account_ID, email_address, keycloak_id, _time
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @jhilton90,

could you share some sample of your data?

Ciao.

Giuseppe

0 Karma

jhilton90
Path Finder

The keycloak_id and email_address are in the same field. Basically the field goes like this:

message: MFA challenge succeeded for account aaaaaa with email example@example.com. Keycloak session id is 44t4tegr-44fg-4444-4444-444444444444

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @jhilton90,

please try this 

| rex "account\s+(?<account>\w+)\s+with\s+email\s+(?<email>[^ ]+)"

that you can test at https://regex101.com/r/6zSc2W/1

Ciao.

Giuseppe

jhilton90
Path Finder

Let me give it a go! Great resource by the way, thank you

0 Karma
Get Updates on the Splunk Community!

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...

Adoption of Infrastructure Monitoring at Splunk

  Splunk's Growth Engineering team showcases one of their first Splunk product adoption-Splunk Infrastructure ...