Splunk Search

field extraction

splunklearner
Communicator

Hi, 

Please extract DUSTER and JUNIPER as app_name from following sample events - 

1. unit_hostname="GBWDC111AD011HMA.systems.uk.fed"

support_id="16675049156208762610"

vs_name="/f5-tenant-01/DUSTER-GBM-FR-DEV/v-dusteruat.systems.uk.fed-443"

policy_name="/Common/waf-fed-transparent

 

2. unit_hostname="GBWDC111AD011HMA.systems.uk.fed"

support_id="16675049156208762610"

vs_name="/f5-tenant-01/JUNIPER-GBM-FR-DEV/v-juniperuat.systems.uk.fed-443"

policy_name="/Common/waf-fed-transparent

 

The app_names will be dynamic and there is no gurantee that everytime GBM will not be coming beside app_names.

I tried this - vs_name=\"\/.*\/(?<app_name>.*)\-GBM

but as I told everytime GBM will not same in all events. Please make it generic and give the regex for me. Thanks

Labels (4)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

Regular expressions work on pattern matching and two examples is not many to secure a reliable pattern, that being said, if your data has already been extracted into the vs_name field, you could try something like this

| rex field=vs_name "^\/[^\/]+\/(?<app_name>\w+)\-"

View solution in original post

0 Karma

kiran_panchavat
SplunkTrust
SplunkTrust

@splunklearner Please check this

| makeresults count=2 
| eval vs_name1="/f5-tenant-01/DUSTER-GBM-FR-DEV/v-dusteruat.systems.uk.fed-443"
| eval vs_name2="/f5-tenant-01/JUNIPER-GBM-FR-DEV/v-juniperuat.systems.uk.fed-443"
| eval vs_name=mvappend(vs_name1, vs_name2)
| mvexpand vs_name
| rex field=vs_name "\/[^\/]+\/(?<app_name>[^\/\-]+)"
| table vs_name, app_name

kiran_panchavat_0-1738745483721.png

 

Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Regular expressions work on pattern matching and two examples is not many to secure a reliable pattern, that being said, if your data has already been extracted into the vs_name field, you could try something like this

| rex field=vs_name "^\/[^\/]+\/(?<app_name>\w+)\-"
0 Karma
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Think Like an Architect: Introducing the Splunk Certified Cybersecurity Defense ...

In cybersecurity, defenders respond to threats. Architects design the systems that stop them.    As ...

Best Practices: Splunk auto adjust pipeline queue

When you enable autoAdjustQueue in Splunk, maxSize should be understood as the queue size Splunk starts with ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...