Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

instr in Splunk ?

kp_pl
Path Finder
‎06-27-2024 12:03 AM

Below is one of my fields. Quite complex,  I know It could be divided to more atomic values .. but it is not 😞

[AuditingPipelinePair, AuditingPipelinePair_response, AuditResponse, RESPONSE] [[
Tag = AUDIT-SUCCESS
Subject = "TAR_ID":"72503", "YEAR":"2106", "EQ_TY":"STD"
BXB ServiceTus TransactionId = sb-W10nXQte_ORf6PjJ4wQ#000000004
Message ID = afa9613.62eeaf42.N6b.1405404bdw7.N7e14
Service Ref = KlmSpsDictanaryS1/proxy/KlmSpsDictanary
Operation = getShareEquip
Protocol = KTTP
Client Address = 11.232.189.10
TransportDevel User = <anonymous>
MessageDevel User = dkd
Message Pode = 0
Payload = Dipis sb-W10wXDte_ORf6PjJde34wQ0004
]]

Anyway, some of (single Strings) values splunk separated automatically like Protocol or Operation. But how to extract (or even eval in query) parameter with space like  "MessageDevel User"  or "ClientAddress" ?

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎06-27-2024 12:23 AM

You could use rex, something like this

| rex "MessageDevel User = (?<MessageDevelUser>\S+)"

View solution in original post

Reply
Solved! Jump to solution

glc_slash_it
Path Finder
‎06-27-2024 12:24 AM

Not quite sure what you're asking but, there are several things you can do there:

If fields like "Client Address" are not extracted, you can do a rex command and then use the extracted fields in evals etc:

| rex "Client Address = (?<address>\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3})"
| eval address = ...

If they are already extracted, but the field as a space you can do either:

| rename "Client Address" as ClientAddress
|eval ClientAddress = ...
or
| eval "Client Address" = ...

 

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎06-27-2024 12:23 AM

You could use rex, something like this

| rex "MessageDevel User = (?<MessageDevelUser>\S+)"
Reply
Solved! Jump to solution

kp_pl
Path Finder
‎06-27-2024 01:58 AM

Would you look at Payload parameter. Result has many strings with spaces.

0 Karma
Reply
Solved! Jump to solution

kp_pl
Path Finder
‎06-27-2024 01:52 AM

I feel it could be a good solution but how to use it ?  Should I extract new field with this regex ? 

0 Karma
Reply
Solved! Jump to solution

kp_pl
Path Finder
‎06-27-2024 01:54 AM

ok, got it !  Works perfect 🙂

 

 

0 Karma
Reply
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...