Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why is my rex command extracting other text strings

jhilton90
Path Finder
‎11-07-2022 04:10 AM

I am using the following rex command to extract an id number, which is in the following format: 1e4gd5g7-4fy6-fg567-3d46-3gth63f57h35. I am also using the rex command to extract email addresses. However, it seems to extract the wrong information, let me show you:

index=keycloak "MFA"
| regex _raw="MFA challenge failed"
| rex "(?i) is (?P<keycloak_id>[^\"]+)"
| rex "(?i) is (?P<email_address>.+?)\.\s+"
| table Account_ID, email_address, keycloak_id, _time

However, this is the output that I get:

Account_IDemail_addresskeycloak_id_time
aaaaaaa'OTP is invalid''OTP is invalid'. Keycloak session id is 1e4gd5g7-4fy6-fg567-3d46-3gth63f57h352022-11-07 09:56:17.00

 

I'm really struggling to properly extract the right information that I'm looking for.

Any help would be greatly appreciated

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎11-07-2022 05:59 AM

Hi @jhilton90,

please try this 

| rex "account\s+(?<account>\w+)\s+with\s+email\s+(?<email>[^ ]+)"

that you can test at https://regex101.com/r/6zSc2W/1

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎11-07-2022 04:49 AM

You have a flimsy anchor - for example, " is " occurs multiple times in your event. You need to provide more context to the anchor so the right place can be found in your events.

0 Karma
Reply
Solved! Jump to solution

jhilton90
Path Finder
‎11-07-2022 05:38 AM

The keycloak_id and email_address are in the same field. Basically the field goes like this:

message: MFA challenge succeeded for account aaaaaa with email example@example.com. Keycloak session id is 44t4tegr-44fg-4444-4444-444444444444

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎11-07-2022 06:08 AM

Try something like this

index=keycloak "MFA"
| regex _raw="MFA challenge failed"
| rex "(?i) account (?P<Account_ID>\S+)\s"
| rex "(?i) session id is (?P<keycloak_id>\S+)"
| rex "(?i) email (?P<email_address>\S+)\.\s+"
| table Account_ID, email_address, keycloak_id, _time
0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎11-07-2022 04:44 AM

Hi @jhilton90,

could you share some sample of your data?

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

jhilton90
Path Finder
‎11-07-2022 05:47 AM

The keycloak_id and email_address are in the same field. Basically the field goes like this:

message: MFA challenge succeeded for account aaaaaa with email example@example.com. Keycloak session id is 44t4tegr-44fg-4444-4444-444444444444

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎11-07-2022 05:59 AM

Hi @jhilton90,

please try this 

| rex "account\s+(?<account>\w+)\s+with\s+email\s+(?<email>[^ ]+)"

that you can test at https://regex101.com/r/6zSc2W/1

Ciao.

Giuseppe

Reply
Solved! Jump to solution

jhilton90
Path Finder
‎11-07-2022 06:15 AM

Let me give it a go! Great resource by the way, thank you

0 Karma
Reply
Get Updates on the Splunk Community!

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...