Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Need help to write regex.

vaibhavbharadwa
Observer
‎08-01-2019 11:28 AM

I have 2 sets of logs. I am supposed to extract the content between the last 2 '#' among the below logs.
Please help.

<12>Jan 2 20:29:35 10.10.10.10 -: SampleLog%%1428 # MINOR # jegan # SSO # User login # SSO # Success # User login successful.#

<12>Dec 25 00:56:59 10.10.10.11 null: SampleLog%%1362 # Minor # diness # 0 # Service manager # Validate details # LocalMMS # Fail # 10.10.10.255 # User name: diness. Failure reason: The user name does not match the password or the account does not exist. #

information which is written in Bold needs to be extracted into a field called as 'message'

I tried with the following regex :
(?(field_name_with_angular_brackets)User..\s.)

Please let me know how to do this.

Also please let me know how to combine regex of 2 fields into a single field.

0 Karma
Reply

jpolvino
Builder
‎08-01-2019 12:27 PM

Another option with just 1 step:

(your search) | rex "#\s(?!.*# )(?<message>[^#]+)#$"

Then if you want to create a new field from two others, just use a period between them.

...
| eval f1="abc"
| eval f2="123"
| eval f3=f1.f2
| eval f4=f1."_".f2

So f3 will be abc123 and f4 will be abc_123

0 Karma
Reply

woodcock
Esteemed Legend
‎08-01-2019 12:14 PM

Like this:

| makeresults 
| eval raw="Jan 2 20:29:35 10.10.10.10 -: SampleLog%%1428 # MINOR # jegan # SSO # User login # SSO # Success # User login successful.#:::Dec 25 00:56:59 10.10.10.11 null: SampleLog%%1362 # Minor # diness # 0 # Service manager # Validate details # LocalMMS # Fail # 10.10.10.255 # User name: diness. Failure reason: The user name does not match the password or the account does not exist. #"
| makemv delim=":::" raw
| mvexpand raw
| rename raw AS _raw
| rex "#\s*(?<message>[^#]+)\s*#\s*$"
0 Karma
Reply

niketn
Legend
‎08-01-2019 12:12 PM

@vaibhavbharadwaj try the following regular expression

|  rex "\#\s*(?<message>[^\#]+)\s*#$"

Following is a run anywhere example based on the sample data provided. Please try out and confirm!

|  makeresults
|  fields - _time
|  eval data="Jan 2 20:29:35 10.10.10.10 -: SampleLog%%1428 # MINOR # jegan # SSO # User login # SSO # Success # User login successful.#;Dec 25 00:56:59 10.10.10.11 null: SampleLog%%1362 # Minor # diness # 0 # Service manager # Validate details # LocalMMS # Fail # 10.10.10.255 # User name: diness. Failure reason: The user name does not match the password or the account does not exist. #"
|  makemv data delim=";"
|  mvexpand data
|  rename data as _raw
|  rex "\#\s*(?<message>[^\#]+)\s*#$"
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

mydog8it
Builder
‎08-01-2019 12:06 PM

Do you have access to the search heads to modify the transforms and props.conf files?

0 Karma
Reply

saurabhkharkar
Path Finder
‎08-01-2019 12:04 PM 
| makeresults
|eval string="Jan 2 20:29:35 10.10.10.10 -: SampleLog%%1428 # MINOR # jegan # SSO # User login # SSO # Success # User login successful.#"
| rex mode=sed field=string "s/\#*$//"
| rex field=string "(?<message>[^\#]*$)"
| table string message

Explanation : 

| rex mode=sed field=string "s/\#*$//" -> replaces the last # with nothing
| rex field=string "(?<message>[^\#]*$)" -> captures everything after the last # and dumps it in a new field 'message'
0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...