extract string to a field

navd · ‎06-17-2018

I have some strings appearing in the events , i want to extract them ,it doesnt have any keyvalue pair
sample event :-
6/15/18
4:53:00.123 PM 420420 1529074380797 2018-06-15 14:53:00.797 10.224.34 - - - - prod abc.services ffffffffdcfb607e-186-16403ef6ffd000 ERROR ERROR - - - - com.data.driver.core.exceptions.NouserAvailableException: All user(s) tried for query failed

so from the above event I would want to extract "com.data.driver.core.exceptions.NouserAvailableException"

vinod94 · ‎06-18-2018

if the events are of the same type, you can try this...

| makeresults 
| eval data="6/15/18
4:53:00.123 PM 420420 1529074380797 2018-06-15 14:53:00.797 10.224.34 - - - - prod abc.services ffffffffdcfb607e-186-16403ef6ffd000 ERROR ERROR - - - - com.data.driver.core.exceptions.NouserAvailableException: All user(s) tried for query failed" 
| rename data as _raw 
| rex field=_raw "ERROR\s\-\s\-\s\-\s\-(?P<field_name>[^\:]+)"

lloydknight · ‎06-17-2018

Hello @navd

You may refer to this link to access the field extractor,
Or you can extract fields using regex. See link.

Also, if the provided sample event is in uniform with the succeeding events, try this query:

your base search | rex "\ERROR ERROR - - - - (?<Exception>.*)\:"

Hope it helps!

Ayn · ‎06-17-2018

What other data around it can you rely on to stay the same? Are the dashes before your text static for instance? Did you try the interactive field extractor?

extract string to a field

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

Splunk APM: New Product Features + Community Office Hours Recap!

Index This | Forward, I’m heavy; backward, I’m not. What am I?