I need to extract a session ID out of events, but the special character is causing me problems.
Example:
Oct 22 08:33:30 192.168.7.251 postfix/smtp[76654]: 67BE5D1332D0A82F:
System: MTA, Source (Reason): None, Action: sent
Oct 22 08:33:30 192.168.7.251 postfix/smtp[76654]: 67BE5D1332D0A82F: to=<jbubba@test.org>, delay=0.42, delays=0.41/0/0/0.01, dsn=2.6.0, status=sent (250 2.6.0 <jCAHxoxnu--VD2tu+N8wyHgGndydf=-5Q1H6CVBXc5z82iyQOmWA@mail.gmail.com> Queued mail for delivery)
I want to extract 67BE5D1332D0A82F
.
sourcetype=WatchGuard 67BE5D1332D0A82F | rex field=_raw "Session_ID: (?<\]\:>.\w+)"
The above does not work.
Any help would be appreciated,
Thanks,
John
Your rex command is looking for the string "Session_ID: ", but that string does not exist in your examples. This search finds the string you want.
sourcetype=WatchGuard 67BE5D1332D0A82F | rex "\]: (?<session_id>\w+)"
Try something like this
sourcetype=WatchGuard 67BE5D1332D0A82F | rex "([^:]+:){3}(?<SessionId>[^:]+)"
Your rex command is looking for the string "Session_ID: ", but that string does not exist in your examples. This search finds the string you want.
sourcetype=WatchGuard 67BE5D1332D0A82F | rex "\]: (?<session_id>\w+)"
Thank you, I appreciate the help.
I did take it one step farther by adding exact count for session_id to eliminate some random hits.
sourcetype=WatchGuard 67BE5D1332D0A82F | rex "\]: (?\w{16})"