Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

rex help...

msarkaus
Explorer
‎10-14-2024 10:00 PM

Greetings,

Please help!!

I need to extract the ID value from the two events below, and I’m kinda banging my head here… . I just need to list Q123456789 and each ID in my dashboard. But it I can’t get past all of the special characters.

I’ve tried using different combinations like this:

| eval msg=”the event”

| rex "msg =(?< policyId >\w+)”

| table policyId

But what I would really like to have something like this in my dashboard:

Starting Controller Q123456789

CallStatus=Success Q123456789

Starting Controller Q123456788

CallStatus=Success Q123456788

Starting Controller Q123456787

CallStatus=Success Q123456787

And so on.

Is this possible?

Your help is always appreciated.

Thanks

 

 

Starting Controller=Fall Action=GetFallReportAssessment data={"policyId":"Q123456789","inceptionDate":"20250501","postDate":"1900-01-01T12:00:00"}

 

API=/api/Fall/reportAssessment/ CallStatus=Success Controller=Fall Action=GetFallReportAssessment Duration=27 data={"policyId":"Q123456789","inceptionDate":"20250501","postDate":"1900-01-01T12:00:00"}

Labels (1)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎10-15-2024 05:22 AM

Regular expressions are very literal - they match exactly what they are told to match or they don't match at all.  In the attempted SPL, the rex command expects to find the letters 'm', 's',  'g', a space, and '=' in that order, but they are not present in the sample events so no policyId field can be extracted.  Try this

 

| rex field=msg "policyId\\\":\\\"(?<policyId>\w+)"

 

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

msarkaus
Explorer
‎10-15-2024 05:59 AM

Unfortunately, it didn't pick up the policy ID.  It returns a blank table

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎10-15-2024 07:09 AM

Please share the full SPL you ran.  The one command I provided will not return a table so we need to know how you are creating a table.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎10-15-2024 05:16 AM 
| rex "\"policyId\":\"(?<policyId>\w+)\""
0 Karma
Reply

msarkaus
Explorer
‎10-15-2024 06:03 AM

It returns a blank table. 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎10-15-2024 06:06 AM

If the rex isn't working, it is probably because it doesn't match precisely to the event you have. Please repost your events in a code block </> to preserve the formatting which will be important to getting the rex correct.

0 Karma
Reply

msarkaus
Explorer
‎10-15-2024 06:23 AM

</API=/api/full/reportAssessment/ CallStatus=Success Controller=Full Action=GetfullReportAssessment Duration=5 data={"policyId":"Q123456789","inceptionDate":"20241015","postDate":"1900-01-01T12:00:00"}>

 

</Starting Controller=Full Action=GetClueReportAssessment data={"policyId":"Q123456789","inceptionDate":"20241015","postDate":"1900-01-01T12:00:00"}/

 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎10-15-2024 06:32 AM

This is a code block 

</API=/api/full/reportAssessment/ CallStatus=Success Controller=Full Action=GetfullReportAssessment Duration=5 data={"policyId":"Q123456789","inceptionDate":"20241015","postDate":"1900-01-01T12:00:00"}>

 

</Starting Controller=Full Action=GetClueReportAssessment data={"policyId":"Q123456789","inceptionDate":"20241015","postDate":"1900-01-01T12:00:00"}/

The rex pattern provided would extract the policyId from this so there is probably something different about the event as you have shown it and your actual events. If you don't provide accurate (enough) information, we will not be able to provide you with an accurate (enough) solution.

0 Karma
Reply

msarkaus
Explorer
‎10-15-2024 08:59 AM

Sorry.... I'm going to need to combine the policyid for both logs into one.  Both do not work.. 

Thanks again for your help..

Call out

</

index=xxx appSubLvlNam="QAA" (msgTxt="Starting Controller=Full Action=GetFullReportAssessment data*" OR msgTxt="API=/api/full/reportAssessment/ CallStatus=Success*")

| eval msgTxt "Starting Controller=Full Action=GetFullReportAssessment data={"policyId":"Q123456789","inceptionDate":"20241011","postDate":"1900-01-01T12:00:00"}"

| rex "\"policyId\":\"(?<policyId>\w+)\""

| table policyId

>

Response

</

index=xxx appSubLvlNam="QAA" (msgTxt="Starting Controller=Full Action=GetFullReportAssessment data*" OR msgTxt="API=/api/full/reportAssessment/ CallStatus=Success*")

| eval msgTxt "API=/api/full/reportAssessment/ CallStatus=Success Controller=full Action=GetFullReportAssessment Duration=17 data={"policyId":"Q123456789","inceptionDate":"20241015","postDate":"1900-01-01T12:00:00"} "

| rex "\"policyId\":\"(?<policyId>\w+)\""

| table policyId

>

 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎10-15-2024 09:17 AM

You need to provide your raw event in a code block - use this button

ITWhisperer_0-1729008984590.png

to open a code block and paste your raw event into it so we can see exactly what you are dealing with

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...