- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to extract a string from a field that contains...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
731/5000
How to extract a field that can contain letters, numbers and characters, as in the example below?
The field to extract is the policyName that always comes preceded by the instanceId field.
Ex:
policyName = Unrestricted Inbound Access on network security groups instanceId = 5313
policyName = Unrestricted MongoDB Access in network security groups instanceId = 5313
policyName = [Exchange] - CPF totalMatchCount = 12 instanceId = 5319
policyName = Unencrypted OS disks instanceId = 5313
policyName = Check Disable Telnet (port 23) access on Network Security Groups from Internet instanceId = 5313
I have tried several ways, but it is only extracting the first word after the "=" sign, eg. "[Exchange]", "Unrestricted", etc ...
Can anyone help?
Thank you very much in advance.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
| makeresults |eval x="Ex: policyName = Unrestricted Inbound Access on network security groups instanceId = 5313
policyName = Unrestricted MongoDB Access in network security groups instanceId = 5313
policyName = [Exchange] - CPF totalMatchCount = 12 instanceId = 5319
policyName = Unencrypted OS disks instanceId = 5313
policyName = Check Disable Telnet (port 23) access on Network Security Groups from Internet instanceId = 5313" | rex field=x "policyName+\s+\=(?<pname>.*?)instanceId" max_match=0
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
To extract the field in inline mode.
I used this REGEX:
(?:policyName = (?P<policy>.*)instanceId)
Thank you very much.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
| makeresults |eval x="Ex: policyName = Unrestricted Inbound Access on network security groups instanceId = 5313
policyName = Unrestricted MongoDB Access in network security groups instanceId = 5313
policyName = [Exchange] - CPF totalMatchCount = 12 instanceId = 5319
policyName = Unencrypted OS disks instanceId = 5313
policyName = Check Disable Telnet (port 23) access on Network Security Groups from Internet instanceId = 5313" | rex field=x "policyName+\s+\=(?<pname>.*?)instanceId" max_match=0
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Sukisen!
It worked in search time. But inline extract does not. What would it look like for extract inline?
Thank you.
James
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi @jfeitosa_real
It should work in inline search as well.
Is the inline search a table in a dashboard? If yes, check the time range of the search
it could be that your logs are multispaced in that case use this regex - rex field=x "(?ms)policyName+\s+\=(?<pname>.*?)instanceId" max_match=0
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @Sukisen1981 .
In fact it is to extract the field without research.
I got it this way:
(?:policyName=(?P<policy>.*)instanceId)
Thanks for your attention, your example helped me find this result.
Thank you very much.
James []s
Introducing Splunk Enterprise 9.2
Adoption of RUM and APM at Splunk
Routing logs with Splunk OTel Collector for Kubernetes
