Solved: Attempting to use rex to extract a session id, how...

john_glasscock · ‎10-22-2015

I need to extract a session ID out of events, but the special character is causing me problems.

Example:

Oct 22 08:33:30 192.168.7.251 postfix/smtp[76654]: 67BE5D1332D0A82F:
    System: MTA, Source (Reason): None, Action: sent
Oct 22 08:33:30 192.168.7.251 postfix/smtp[76654]: 67BE5D1332D0A82F: to=<jbubba@test.org>, delay=0.42, delays=0.41/0/0/0.01, dsn=2.6.0, status=sent (250 2.6.0  <jCAHxoxnu--VD2tu+N8wyHgGndydf=-5Q1H6CVBXc5z82iyQOmWA@mail.gmail.com> Queued mail for delivery)

I want to extract 67BE5D1332D0A82F.

sourcetype=WatchGuard  67BE5D1332D0A82F | rex field=_raw "Session_ID: (?<\]\:>.\w+)"

The above does not work.

Any help would be appreciated,
Thanks,
John

richgalloway · ‎10-22-2015

Your rex command is looking for the string "Session_ID: ", but that string does not exist in your examples. This search finds the string you want.

sourcetype=WatchGuard  67BE5D1332D0A82F | rex "\]: (?<session_id>\w+)"

---
If this reply helps you, Karma would be appreciated.

View solution in original post

somesoni2 · ‎10-22-2015

Try something like this

sourcetype=WatchGuard  67BE5D1332D0A82F  | rex "([^:]+:){3}(?<SessionId>[^:]+)"

richgalloway · ‎10-22-2015

Your rex command is looking for the string "Session_ID: ", but that string does not exist in your examples. This search finds the string you want.

sourcetype=WatchGuard  67BE5D1332D0A82F | rex "\]: (?<session_id>\w+)"

---
If this reply helps you, Karma would be appreciated.

john_glasscock · ‎10-22-2015

Thank you, I appreciate the help.
I did take it one step farther by adding exact count for session_id to eliminate some random hits.

sourcetype=WatchGuard  67BE5D1332D0A82F | rex "\]: (?\w{16})"

Attempting to use rex to extract a session id, how to deal with special characters?

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms

Updated Team Landing Page in Splunk Observability