Solved: Field Extraction for Values with random keys

mbrown_splunk · ‎11-27-2013

Hi

I am trying to extract a field named session_id (I have highlighted the fields in bold) from a log file, but there is no consistency with the position of the session_id. The only constant is the session_id is 22 characters, which is made up of numbers, letters, dashes and underscores. Below is a sample of the data, I have put X's through some of the data which is sensitive:

2013/11/21-12:29:58.170 +0200: 10.12.149.120 5 LOGIN_FAIL XXXXX@XXXXXX.com XXXX:XXXTrader 0XBFD2a5Kvaq3cD8wiCpLR USER_UNKNOWN
2013/11/21-12:29:58.101 +0200: 10.12.149.120 5 OPEN 0XBFD2a5Kvaq3cD8wiCpLR
2013/11/21-12:29:49.945 +0200: 10.12.149.120 5 LOST - - 0yzPsUSfepZMwfxOu2jQui CLOSE_TYPE2
2013/11/21-12:29:38.311 +0200: 10.12.149.120 3 CLOSE - XXXX:XXXTrader 06EpEUOoz461hLCCeDe5qm TIMEOUT
2013/11/21-12:29:30.750 +0200: 10.12.149.120 5 OPEN 0yzPsUSfepZMwfxOu2jQui
2013/11/21-12:29:28.244 +0200: 10.12.149.120 3 CLOSE - XXXX:XXXTrader 0gbe7IlUDJJtVuSWWO4fIz TIMEOUT
2013/11/21-12:28:48.320 +0200: 10.12.149.120 3 LOGIN_FAIL XXXX.XXXXXXXXXXX@XXXXXXXXXXXX.co.uk XXXX:XXXTrader 06EpEUOoz461hLCCeDe5qm USER_UNKNOWN
2013/11/21-08:46:20.305 +0200: 10.12.149.130 5 LOST XXXX@XXXXXX.com XXXX:XXXTrader 0nHzJadbf8pFzscVJIZUCO CLOSE_TYPE2
2013/11/21-08:44:20.708 +0200: 10.12.149.130 5 LOGIN_OK XXXX@XXXXXX.com XXXX:XXXTrader 0reFTR9TYqn1Id-LiXQPKz LOGIN_OK

I can write some regex that captures some of the session_id's, but my regex skills are not at a level to capture all of them.

Any help would be greatly appreciated.

lukejadamec · ‎11-27-2013

This works on your data set:

[a-zA-Z0-9-_]{22}

View solution in original post

lukejadamec · ‎11-27-2013

This works on your data set:

[a-zA-Z0-9-_]{22}

mbrown_splunk · ‎11-27-2013

This worked a treat. Thank you very much.

Field Extraction for Values with random keys

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!