Re: extracting fields

Jananee_iNautix · ‎01-20-2014

Hi,
I have the following log statements
1.Connected to [el2me@star-mf.grgk.com:22]
2.. Connected to [ftpsergr.gregn.com:41]. UserID [egwergrwe]

From the above statements i have to exrtact userid in common.In first log statement e12me is the userid and in second log statement string following the UserID is the userid which i want to extract ie.egwergrwe

i gave the following regex to extract the userid and diplay in table
as
sourcetype="RSBA_LOGS-2" |rex field=_raw "(?:Connected to |UserID)?[(?\S+)(?:@|])" | table userid

But it is not extracting the correct userid .Can anyone help me on the regex.

somesoni2 · ‎01-21-2014

This could be a workaround.

   your base search.. | rex field=_raw "\[(?<userid>[^\]]*)\]$" | rex field=userid "(?<userid>[^@]*)"

No luck so far with single rex.

MuS · ‎01-20-2014

Hi Jananee_iNautix,

try something like this:

(Connected to \[|UserID \[)(?<userid>.+)[\:\]]

here is a good online regex test tool http://www.regexr.com/ where you can test your regex.

hope this helps ...

cheers, MuS

Jananee_iNautix · ‎01-20-2014

It is not extracting the userid.Please help...

extracting fields

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...