Splunk Search

Help with rex to search logs for deleting user context

gtidd
Explorer

I know I am missing something simple here, but I cannot seem to figure this out.
I am trying to search my logs for the following:

Deleting user context for <>

With my application, there are instances where the line, "Deleting user context for" will not be followed by anything. These types of entries are those that I would like to ignore.

I have tried:

index=<> | rex field=source "(? ^Deleting user context for *[a-z])"

I have also tried multiple variants of above with no luck. If anyone would be able to point me in the right direction I would be very appreciative of that!

0 Karma
1 Solution

gtidd
Explorer

OK, so I tried the first suggestion and that did not seem to work. Probably b/c of the rex vs regex issue.

I am sorry for messing up the initial post, it is my very first post. Typically the standard searches work fine for me, but this one needs something a bit more than typical. I am very much not an expert at searching with Splunk. So I apologize if I am asking the wrong questions here.

I will look into the regex a bit more. I had tried it previously as well, but the search of Deleting user context for [a-z] did not return properly even though a regex testing website validated and brought back the correct results. I figured at that point I was just not doing something right when it came to Splunk and its use of regular expressions which is why I turned here for help.

View solution in original post

0 Karma

gtidd
Explorer

OK, so I tried the first suggestion and that did not seem to work. Probably b/c of the rex vs regex issue.

I am sorry for messing up the initial post, it is my very first post. Typically the standard searches work fine for me, but this one needs something a bit more than typical. I am very much not an expert at searching with Splunk. So I apologize if I am asking the wrong questions here.

I will look into the regex a bit more. I had tried it previously as well, but the search of Deleting user context for [a-z] did not return properly even though a regex testing website validated and brought back the correct results. I figured at that point I was just not doing something right when it came to Splunk and its use of regular expressions which is why I turned here for help.

0 Karma

FrankVl
Ultra Champion

That regex should work for detecting strings that have a lowercase character following "Deleting user context for ". If you need further help with this, some sample data would help, as well as the actual searches you've tried so far.

One more thought based on what you shared so far: You are targeting the regex at field=source. The source field in Splunk does normally not contain this kind of data. Usually source contains some kind of indication of the source of the data (e.g. a certain UDP/TCP port, a filename, etc.). So unless you actually have this "Deleting user context for..." content in the source field, you may need to use another field there, or no field at all to apply the regex to the raw events.

0 Karma

gtidd
Explorer

Late yesterday I figured out that part about the source. So thank you for mentioning that b/c that was the key to my issues. Once I removed that, the search worked as I would have expected. I ended up using the following.

index=<<Some Index Name>> | regex "/^(Deleting user context [a-z])"

Thank you to everyone that chimed in here to help me! I very much appreciate it!

FrankVl
Ultra Champion

rex is for extracting things, not for filtering. You'd probably want to look at the regex search command, which allows you to filter results using a regex.

Also: when posting search code and such, please put it in between backticks: ` ` or use the 101010 button in the editor toolbar to mark part of your post as code. Now some special characters seem to have disappeared.

0 Karma

jpolvino
Builder

You could try:

| rex field=source "Deleting user context for (?<userContext>.+)"
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...