Solved: Re: eval or rex help

keyu921 · ‎05-20-2020

Message="Internal event: Function ldap_search entered.
SID: S-1-5-18
Source IP: 127.0.0.1:25855
Operation identifier: 680571
Data1:
Data2: 2796807187
Data3:
Data4:"

How can I just left message "Message="Internal event: Function ldap_search entered."

by rex to define as fields or use eval command?

gcusello · ‎05-20-2020

Hi @keyu921,
probably the message field sould be already automatically extracted by Splunk because there's the pair key=value, if you cannot see it, use the Verbose Mode in search.

If not you can use a regex like this in the rex command or in a guided extraction:

(?ms)Message\=\"(?<Message>.+)\s+SID

that you can test at https://regex101.com/r/5X9OXT/1

Ciao.
Giuseppe

View solution in original post

gcusello · ‎05-20-2020

Hi @keyu921,
probably the message field sould be already automatically extracted by Splunk because there's the pair key=value, if you cannot see it, use the Verbose Mode in search.

If not you can use a regex like this in the rex command or in a guided extraction:

(?ms)Message\=\"(?<Message>.+)\s+SID

that you can test at https://regex101.com/r/5X9OXT/1

Ciao.
Giuseppe

keyu921 · ‎05-20-2020

|rex Message=(?ms)Message=\"(?.+)\s+SID
But seems failed

gcusello · ‎05-20-2020

Hi @keyu921,
Try:

| rex "(?ms)Message\=\"(?<Message>.+)\s+SID"

P.S.: when you insert a code (like the regex) in a Question or in a Comment, use always the Code sample button (the one with 101010) otherwise your comment isn't readable.

Ciao.
Giuseppe

keyu921 · ‎05-21-2020

same result

keyu921 · ‎05-21-2020

it is ok now

eval or rex help

rex

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!