Splunk Search

How to extract field name containing square brackets, "conn[SSL/TLS]=23832"?

dangerusty
Engager

I have an auto-extracted field name of "conn" (conn=12345), but if the connection is SSL, then the field name becomes "conn[SSL/TLS]". I'd like to use that field name while doing things like transaction, but i cant find any way to get around those square brackets. I've tried double quotes, single quotes, dollar signs, renaming it to "conn", field alias to "conn", escaping the brackets. I assume I need rex, but
I don't know where to start.

Ideally I'd like a search of "conn=12345" to include both field names (conn & conn[SSL/TLS] as if they were one, but I'd settle for a successful rename (conn=12345 OR connSSLTLS=12345).

Tags (2)
0 Karma
1 Solution

wenthold
Communicator

In your field extraction, try the regex for the conn field:

conn(?:\[[^\]]+\])?=(?<value_to_extract>[0-9]+)

Breaking the regex down:

  • (?: - Start of non-capturing group
  • [ - Escaped bracket, it will match the open bracket in the event
  • [^]]+ - Move ahead until the close bracket is found in the event
  • ] - Match the close bracket in the event
  • ) - End the non-capturing group
  • ? - everything in in the capturing group is optional - will match conn=12345 or conn[ssl/tls]=12345

For the field to be extracted, [0-9]+ will capture every numeric character after the "=", but if you expect any non-numeric characters you'll have to account for that.

View solution in original post

wenthold
Communicator

In your field extraction, try the regex for the conn field:

conn(?:\[[^\]]+\])?=(?<value_to_extract>[0-9]+)

Breaking the regex down:

  • (?: - Start of non-capturing group
  • [ - Escaped bracket, it will match the open bracket in the event
  • [^]]+ - Move ahead until the close bracket is found in the event
  • ] - Match the close bracket in the event
  • ) - End the non-capturing group
  • ? - everything in in the capturing group is optional - will match conn=12345 or conn[ssl/tls]=12345

For the field to be extracted, [0-9]+ will capture every numeric character after the "=", but if you expect any non-numeric characters you'll have to account for that.

elliotproebstel
Champion

This can handle the very simple rename option:

| rename "*[*/*]*" AS ****
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...