Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Need help to write regex.

vaibhavbharadwa
Observer
‎08-01-2019 11:28 AM

I have 2 sets of logs. I am supposed to extract the content between the last 2 '#' among the below logs.
Please help.

<12>Jan 2 20:29:35 10.10.10.10 -: SampleLog%%1428 # MINOR # jegan # SSO # User login # SSO # Success # User login successful.#

<12>Dec 25 00:56:59 10.10.10.11 null: SampleLog%%1362 # Minor # diness # 0 # Service manager # Validate details # LocalMMS # Fail # 10.10.10.255 # User name: diness. Failure reason: The user name does not match the password or the account does not exist. #

information which is written in Bold needs to be extracted into a field called as 'message'

I tried with the following regex :
(?(field_name_with_angular_brackets)User..\s.)

Please let me know how to do this.

Also please let me know how to combine regex of 2 fields into a single field.

0 Karma
Reply

jpolvino
Builder
‎08-01-2019 12:27 PM

Another option with just 1 step:

(your search) | rex "#\s(?!.*# )(?<message>[^#]+)#$"

Then if you want to create a new field from two others, just use a period between them.

...
| eval f1="abc"
| eval f2="123"
| eval f3=f1.f2
| eval f4=f1."_".f2

So f3 will be abc123 and f4 will be abc_123

0 Karma
Reply

woodcock
Esteemed Legend
‎08-01-2019 12:14 PM

Like this:

| makeresults 
| eval raw="Jan 2 20:29:35 10.10.10.10 -: SampleLog%%1428 # MINOR # jegan # SSO # User login # SSO # Success # User login successful.#:::Dec 25 00:56:59 10.10.10.11 null: SampleLog%%1362 # Minor # diness # 0 # Service manager # Validate details # LocalMMS # Fail # 10.10.10.255 # User name: diness. Failure reason: The user name does not match the password or the account does not exist. #"
| makemv delim=":::" raw
| mvexpand raw
| rename raw AS _raw
| rex "#\s*(?<message>[^#]+)\s*#\s*$"
0 Karma
Reply

niketn
Legend
‎08-01-2019 12:12 PM

@vaibhavbharadwaj try the following regular expression

|  rex "\#\s*(?<message>[^\#]+)\s*#$"

Following is a run anywhere example based on the sample data provided. Please try out and confirm!

|  makeresults
|  fields - _time
|  eval data="Jan 2 20:29:35 10.10.10.10 -: SampleLog%%1428 # MINOR # jegan # SSO # User login # SSO # Success # User login successful.#;Dec 25 00:56:59 10.10.10.11 null: SampleLog%%1362 # Minor # diness # 0 # Service manager # Validate details # LocalMMS # Fail # 10.10.10.255 # User name: diness. Failure reason: The user name does not match the password or the account does not exist. #"
|  makemv data delim=";"
|  mvexpand data
|  rename data as _raw
|  rex "\#\s*(?<message>[^\#]+)\s*#$"
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

mydog8it
Builder
‎08-01-2019 12:06 PM

Do you have access to the search heads to modify the transforms and props.conf files?

0 Karma
Reply

saurabhkharkar
Path Finder
‎08-01-2019 12:04 PM 
| makeresults
|eval string="Jan 2 20:29:35 10.10.10.10 -: SampleLog%%1428 # MINOR # jegan # SSO # User login # SSO # Success # User login successful.#"
| rex mode=sed field=string "s/\#*$//"
| rex field=string "(?<message>[^\#]*$)"
| table string message

Explanation : 

| rex mode=sed field=string "s/\#*$//" -> replaces the last # with nothing
| rex field=string "(?<message>[^\#]*$)" -> captures everything after the last # and dumps it in a new field 'message'
0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...