Re: Filtering out part of a value

NizanCohen · ‎11-09-2022

Hi all.

I'm working with a FTP server which include a session number with each status and I wish to exclude the session number to be separate value to use later.

Example of the fields are:

[12345156]quit

[14365361]pass

I tried using replace "[*]" with * in cs_status but it won't remove the session number (inside the [] is the session number).

Basic search query:

"index=application sourcetype=FTPlogs"

Thank you for the assistance!

NizanCohen · ‎11-09-2022

I managed to resolve it by using "extract new fields" and simply selected an example of each desired field and Splunk made the regex and the fields for me.

Thanks!

gcusello · ‎11-09-2022

Hi @NizanCohen,

good for you, bu anyway I hint to learn to build your regexes by yourself because they are very much useful!

Please accept one answer for the other people of Community

Ciao and happy splunking.

Giuseppe

P.S.: Karma Points are appreciated 😉

gcusello · ‎11-09-2022

Hi @NizanCohen,

let me understand, are you speaking to replace "[9999]action" with "999action"?

do you mean at search time or at index time?

If at search time, you could use the rex command.

Ciao.

Giuseppe

NizanCohen · ‎11-09-2022

I prefer making the session a separate field.

If possible without the []

gcusello · ‎11-09-2022

Hi @NizanCohen,

yes you can do it, you need a regex, could you share a sample of your logs?

it should be something like this:

| rex field=your_field "^\[(?<session>\d+)\]"

Ciao.

Giuseppe

NizanCohen · ‎11-09-2022

Hi.

Here's an example of two fields:

[1153909]type
[1168228]created

Filtering out part of a value?

search job inspector

How to Monitor Google Kubernetes Engine (GKE)

Index This | How can you make 45 using only 4?

Splunk Education Goes to Washington | Splunk GovSummit 2024