Solved: Re: rex extraction

a212830 · ‎01-09-2014

Hi,

I'm trying to extract a field via rex for a search and having problems. Hoping someone could help me...

Here's some sample data - I want to get the "user" field, which is the "a" plus the 6 digits. I had rex "(?i)/.*?/(?P<FIELDNAME>[a-f0-9]+)(?=@)", but that didn't work.

2014-01-09T10:35:27.671644-05:00 hosta Juniper: 2014-01-09 10:35:27 - ive - [1.2.3.4] a123456(Mobile Web Cert)[Mobile] - Network Connect: Session started for user with IP 67.68.1.2, hostname a123456s-iPad

2014-01-09T10:34:40.618589-05:00 hosta Juniper: 2014-01-09 10:34:40 - ive - [7.8.9.0] a987654 JOE SCHMOE(Web Cert)[Full Access] - Network Connect: Session started for user with IP 1.2.3.4, hostname BLAH

kristian_kolb · ‎01-09-2014

I would suggest;

... | rex "\]\s(?<user>a\d{6})"

/k

View solution in original post

arihant16cse · ‎02-06-2019

please check it .it is efficent respect to all possibilties.

lukejadamec · ‎01-09-2014

Try something like this:

search |rex ".*(?P<userID>[a]\d{6})"

kristian_kolb · ‎01-09-2014

I would suggest;

... | rex "\]\s(?<user>a\d{6})"

/k

rex extraction

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Observability Simplified: Combining User Experience, Application Performance & ...

Event Series May & June: From Network Visibility to Service Intelligence

Join the Conversation