Splunk Search

How to extract a value from a field with spaces?

yozhbk
Explorer

Hello,

I'm doing a simple alert, which looks like this:

SIP/3102-in-* you=* | table you, id

Which should extract 2 tables from message like this:

Aug  1 10:40:08 192.168.1.201 Aug  1 10:39:17 asterisk[4015]: VERBOSE[4015]:     -- Executing [s@default:1] Set("SIP/3102-in-00000000", "you=11111111111|id=""Caller ID""") in new stack

What I get in return is actually this:

"11111111 Caller" (in a table form of course), but the ID is missing. Anything that comes in only the first word before space is shown.

I understand it's due to the way I extract it, but I'm really not sure how to form a search to make it properly produce the full string. Any help is appreciated.

0 Karma
1 Solution

sundareshr
Legend

Try this

SIP/3102-in-* you=* | rex "id=\"\"(?<id>[^\"]+)" |  table you, id

View solution in original post

Jeremiah
Motivator

Try adding

| rex "id=\"\"(?<id>[^\"]+)"

to your search or

extract-ID=id=\"\"(?<id>[^\"]+)

to your props.conf stanza for this sourcetype.

0 Karma

yozhbk
Explorer

Thanks, but it seems to only work on some messages and not others....

0 Karma

gabriel_vasseur
Contributor

You would have more/better help if you actually posted examples and said "it worked for these ... but didn't work for those ...". Give as much detail as possible.

0 Karma

sundareshr
Legend

Try this

SIP/3102-in-* you=* | rex "id=\"\"(?<id>[^\"]+)" |  table you, id

yozhbk
Explorer

I think I got it, in the example I showed, I was testing with double "" around the ID= field, so it worked with that. But my regular messages look like this.

Aug  1 11:27:04 192.168.1.201 Aug  1 11:26:13 asterisk[4015]: VERBOSE[4015]:     -- Executing [s@default:1] Set("SIP/3102-in-00000000", "you=111111111|id=CALLER ID") in new stack

Really sorry for the confusion. I can add the double "" back, but I really do want to understand why just changing to

0 Karma

yozhbk
Explorer

Guys thank you so much. I figured it out. I guess I need to pay more attention. This is what my final search string looks like...

SIP/3102-in-* you=* | rex "id=(?[^\"]+)" |  table you, id

sundareshr
Legend

@yozhbk, please accept the answer to close it out

0 Karma

sundareshr
Legend

rex "id=\"\"(?[^)]+)" will not work because it is expecting r " after =. In your data, it appears, there's no quotes after the = sign. To capture, when no quotes, try this

SIP/3102-in-* you=* | rex "id=(?<id>[^\"]+)" |  table you, id
0 Karma

yozhbk
Explorer

rex "id=\"\"(?[^)]+)" doesnt work ?

0 Karma

yozhbk
Explorer

Hello,

It worked for one of the entrees, but not the others... The length is always changing and so does the placement of the space, basicly its a callers ID that i`m trying to extract.

0 Karma

sundareshr
Legend

This regex looks for id="" and captures everything after that till ", so the length should matter, as long as id="" exists. Can you share a sample where it doesn't match

0 Karma
Get Updates on the Splunk Community!

Build Scalable Security While Moving to Cloud - Guide From Clayton Homes

 Clayton Homes faced the increased challenge of strengthening their security posture as they went through ...

Mission Control | Explore the latest release of Splunk Mission Control (2.3)

We’re happy to announce the release of Mission Control 2.3 which includes several new and exciting features ...

Cloud Platform | Migrating your Splunk Cloud deployment to Python 3.7

Python 2.7, the last release of Python 2, reached End of Life back on January 1, 2020. As part of our larger ...