Splunk Search

Help with rex to get a particular field

surekhasplunk
Communicator

The search I am using is below and in the output for few I am getting 3 records in the filed manage. Please help me to write a rex to get only a single record where protocol:{name:ssh}

index="unicorn" |fillnull value="_" | search infrastructure{}.name="FRA-SGSS ZONE PARTENAIRE FRANCE" location.building="*" type.name="*" location.room="*" teamInCharge{}.name="*"  |lookup Input_splunk_all.csv RTR as name  |spath output=manage remoteManagement{} | table name manage

If you see the output below for the name PFSOFW401 and PFSOFW01, I am getting more than 1 line for the manage filed- there I need single record.

name    manage
TIGSGSSFR01 {"id":12584,"protocol":{"name":"ssh"},"ip":"192.0.4.193","port":"22","additionalInformation":null,"plainTextURL":null,"login":"matricule SG","password":null,"device":3434}
TIG-DMZ-SGSSFR-S01  {"id":15320,"protocol":{"name":"ssh"},"ip":"192.0.4.171","port":"22","additionalInformation":null,"plainTextURL":null,"login":"matricule SG","password":null,"device":5164}
SOCGEN-SGSS-CLICHY  {"id":43103,"protocol":{"name":"ssh"},"ip":"223.3.2.145","port":"22","additionalInformation":null,"plainTextURL":null,"login":"matricule SG","password":null,"device":22626}
SOCGEN-DMZ-TIGERY   {"id":43101,"protocol":{"name":"ssh"},"ip":"223.3.2.143","port":"22","additionalInformation":null,"plainTextURL":null,"login":"matricule SG","password":null,"device":22624}
RT2821-LEV-MIN-A18  {"id":43102,"protocol":{"name":"ssh"},"ip":"192.168.1.37","port":"22","additionalInformation":null,"plainTextURL":null,"login":"matricule SG","password":null,"device":22625}
PFSOFW401   
{"id":17899,"protocol":{"name":"console"},"ip":"172.16.16.210","port":"22","additionalInformation":null,"plainTextURL":null,"login":"pfsofw401","password":null,"device":7076}
{"id":17900,"protocol":{"name":"https"},"ip":"192.0.32.230","port":"443","additionalInformation":null,"plainTextURL":null,"login":"matricule SG","password":null,"device":7076}
{"id":17644,"protocol":{"name":"ssh"},"ip":"192.0.32.230","port":"22","additionalInformation":null,"plainTextURL":null,"login":"matricule SG","password":null,"device":7076}
PFSOFW01    
{"id":17897,"protocol":{"name":"console"},"ip":"172.16.16.210","port":"22","additionalInformation":null,"plainTextURL":null,"login":"pfsofw01","password":null,"device":7077}
{"id":17898,"protocol":{"name":"https"},"ip":"192.0.4.41","port":"443","additionalInformation":null,"plainTextURL":null,"login":"matricule SG","password":null,"device":7077}
{"id":17645,"protocol":{"name":"ssh"},"ip":"192.0.4.41","port":"22","additionalInformation":null,"plainTextURL":null,"login":"matricule SG","password":null,"device":7077}

Thanks.

Tags (2)
0 Karma
1 Solution

arjunpkishore5
Motivator

Not very clear on what the expected output is. If you want variable protocol to have value ssh, this should work.

|rex field=manage "\\?\"protocol\\?\"\:{\\?\"name\\?\"\:\\?\"(?<protocol>[^\\\"]+)"

Note: this rex accomodates for hidden backslash character. You can test your regular expressions here - regex101.com

Hope this helps
Cheers

EDIT: Based on the sample provided, here is the regex

| rex field=_raw "name\"\:\"(?<protocol>[^\"]+)" 
| rename protocol as "protocol:name"

View solution in original post

0 Karma

arjunpkishore5
Motivator

Not very clear on what the expected output is. If you want variable protocol to have value ssh, this should work.

|rex field=manage "\\?\"protocol\\?\"\:{\\?\"name\\?\"\:\\?\"(?<protocol>[^\\\"]+)"

Note: this rex accomodates for hidden backslash character. You can test your regular expressions here - regex101.com

Hope this helps
Cheers

EDIT: Based on the sample provided, here is the regex

| rex field=_raw "name\"\:\"(?<protocol>[^\"]+)" 
| rename protocol as "protocol:name"
0 Karma

surekhasplunk
Communicator

Yes @arjunpkishore5 ,

I want to get the protocol:name to have value ssh.
But thats not working. i tried the rex provided by you above but its getting nothing in protocol field.

my sample data is below:

{"id":17899,"protocol":{"name":"console"},"ip":"172.16.16.210","port":"22","additionalInformation":null,"plainTextURL":null,"login":"pfsofw401","password":null,"device":7076}
{"id":17900,"protocol":{"name":"https"},"ip":"192.0.32.230","port":"443","additionalInformation":null,"plainTextURL":null,"login":"matricule SG","password":null,"device":7076}
{"id":17644,"protocol":{"name":"ssh"},"ip":"192.0.32.230","port":"22","additionalInformation":null,"plainTextURL":null,"login":"matricule SG","password":null,"device":7076}

0 Karma

arjunpkishore5
Motivator

@surekhasplunk Updated my answer based on the sample data provided. Please give a try.

0 Karma

Sukisen1981
Champion

please give us some sample data

0 Karma

surekhasplunk
Communicator

Hi @Sukisen1981 ,

sample data is my manage field.

I have pinged 1 row below also. :

{"id":17899,"protocol":{"name":"console"},"ip":"172.16.16.210","port":"22","additionalInformation":null,"plainTextURL":null,"login":"pfsofw401","password":null,"device":7076}
{"id":17900,"protocol":{"name":"https"},"ip":"192.0.32.230","port":"443","additionalInformation":null,"plainTextURL":null,"login":"matricule SG","password":null,"device":7076}
{"id":17644,"protocol":{"name":"ssh"},"ip":"192.0.32.230","port":"22","additionalInformation":null,"plainTextURL":null,"login":"matricule SG","password":null,"device":7076}

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...