Splunk Search

rex command to extract fields from field( Message=Document 345, Microsoft Word Text **owned by** first.last **on** abc1234 **was** some text **on** some text.............)?

sabithanitg
New Member

rex command to extract fields from Message=Document 345, Microsoft Word Text owned by first.last on abc1234 was some text on some text.............
Marked with bold text are common in all the values.

result of field names should look like this.

DocumentNum=Document 345
DocumentType = Microsoft Word Text
username=first.last
device=abc1234
location=some text

I have started with following rex command, but I cannot look for the text till "owned by" and for user name "owned by" to "on" and so on

| rex Message="(?[^\,])\,(?[()?:owned]*)" | table DocumentNum DocumentType

my result is looking like this: DocumentNum = Document 345
DocumentType = Micro

Tags (1)
0 Karma
1 Solution

stephanefotso
Motivator

yes of course! there are many possibilities to extract what you want. Please which of the above queries worked?
If it is the first one, here you go now:

|rex  "^Message=(?P<DocumentNum>[^,]+),(?P<DocumentType>[^\n]*)owned\sby\s(?P<username>[^ ]+)\s+on\s+(?P<device>[a-f0-9]+)\s+was\s+(?P<location>[^\n]*)"|table DocumentNum DocumentType, username ,device, location

if it is the second one, here you go

|rex field=Message "(?P<DocumentNum>[^,]+),(?P<DocumentType>[^\n]*)owned\sby\s(?P<username>[^ ]+)\s+on\s+(?P<device>[a-f0-9]+)\s+was\s+(?P<location>[^\n]*)"|table DocumentNum DocumentType, username ,device, location

Hope it may help now.

SGF

View solution in original post

0 Karma

stephanefotso
Motivator

yes of course! there are many possibilities to extract what you want. Please which of the above queries worked?
If it is the first one, here you go now:

|rex  "^Message=(?P<DocumentNum>[^,]+),(?P<DocumentType>[^\n]*)owned\sby\s(?P<username>[^ ]+)\s+on\s+(?P<device>[a-f0-9]+)\s+was\s+(?P<location>[^\n]*)"|table DocumentNum DocumentType, username ,device, location

if it is the second one, here you go

|rex field=Message "(?P<DocumentNum>[^,]+),(?P<DocumentType>[^\n]*)owned\sby\s(?P<username>[^ ]+)\s+on\s+(?P<device>[a-f0-9]+)\s+was\s+(?P<location>[^\n]*)"|table DocumentNum DocumentType, username ,device, location

Hope it may help now.

SGF
0 Karma

sabithanitg
New Member

I am using the first one.It worked perfectly.
Thank you very much and appreciate your help.

0 Karma

stephanefotso
Motivator

Hello! Here you go

|rex "^Message=(?P<DocumentNum>[^,]+),\s+(?P<DocumentType>\w+\s+\w+\s+\w+)(?:[^ \n]* ){3}(?P<username>[^ ]+) on (?P<device>[a-f0-9]+) was (?P<location>.+)"|table  DocumentNum,DocumentType, username, device, location
SGF
0 Karma

sabithanitg
New Member

Thanks for the answer Stephane, This is not showing up any value for these fields. Is there any other method to achieve this?

0 Karma

sabithanitg
New Member

Thanks stephane, With few changes it is working to extract for few values not all of them.
Is there any possibility of extracting all.

For example DocumentType field value contains as below similarly for Location
Microsoft Outlook - Memo Style,
11-02-099.pdf,
https://h44444.www3.hp.com/HPCSN/EtFOnline/fff_ff_notes

0 Karma

stephanefotso
Motivator

try this:

    ..........|rex "^Message=(?P<DocumentNum>[^,]+),\s+(?P<DocumentType>\w+\s+\w+\s+\w+)\sowned\sby\s(?P<username>[^ ]+)\son\s(?P<device>[a-f0-9]+)\swas\s(?P<location>.+)"|table  DocumentNum,DocumentType, username, device, location

And if you are working with a csv file, means Message is a field in your csv, try this:

       ..........|rex field=Message "(?P<DocumentNum>[^,]+),\s+(?P<DocumentType>\w+\s+\w+\s+\w+)\sowned\sby\s(?P<username>[^ ]+)\son\s(?P<device>[a-f0-9]+)\swas\s(?P<location>.+)"|table  DocumentNum,DocumentType, username, device, location

if not working also, please let me see the entire first line of your events.

SGF
0 Karma
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Think Like an Architect: Introducing the Splunk Certified Cybersecurity Defense ...

In cybersecurity, defenders respond to threats. Architects design the systems that stop them.    As ...

Best Practices: Splunk auto adjust pipeline queue

When you enable autoAdjustQueue in Splunk, maxSize should be understood as the queue size Splunk starts with ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...