Solved: Re: Extracting a string of numbers from log file a...

wyvivianho · ‎11-06-2019

I am trying to extract a string of numbers (6-8 digits) within a string. each of the string extracted/detected will be a category of event ID. And I will need to tabulate the stat of these event IDs. What is a good way of doing it?

mayurr98 · ‎11-11-2019

try this:

index=<your_index> |rex  "(\d|\w)\d{3}_\d{3}01(?<EventId>\d{4})"

also, try this run anywhere search:

| makeresults 
| eval data="054100172.23.47.142 20191025183818S617_0310120060387212200090541SEG_EAltaSesOpe 0000000000000000000000000000JR388400000000000 C200-025C96D22DA|1010000000D9,999900 20191025183334S617_0310130020571272600120541ConsultaLDAP 0000000000000000000000000000JB146000000000001 149029 3C0CFF0F|0000000000D9" 
| makemv data delim="," 
| mvexpand data 
| rex field=data "(\d|\w)\d{3}_\d{3}01(?<EventId>\d{4})"

View solution in original post

mayurr98 · ‎11-11-2019

try this:

index=<your_index> |rex  "(\d|\w)\d{3}_\d{3}01(?<EventId>\d{4})"

also, try this run anywhere search:

| makeresults 
| eval data="054100172.23.47.142 20191025183818S617_0310120060387212200090541SEG_EAltaSesOpe 0000000000000000000000000000JR388400000000000 C200-025C96D22DA|1010000000D9,999900 20191025183334S617_0310130020571272600120541ConsultaLDAP 0000000000000000000000000000JB146000000000001 149029 3C0CFF0F|0000000000D9" 
| makemv data delim="," 
| mvexpand data 
| rex field=data "(\d|\w)\d{3}_\d{3}01(?<EventId>\d{4})"

woodcock · ‎11-06-2019

Like this:

... | rex field=eventID "(?<myNumber>\d+)"

somesoni2 · ‎11-06-2019

The best method will depend upon the exact use case of yours. Please share some sample values, highlight what part you want to extract and what aggregation/reporting you want out of it. Sample expected output will help too.

vivianhowy18 · ‎11-11-2019

for example, for the first event,
054100172.23.47.142 20191025183818S617_0310120060387212200090541SEG_EAltaSesOpe 0000000000000000000000000000JR388400000000000 C200-025C96D22DA|1010000000D9, the event ID is the 43th -46th digits (4 digits) "2006" after xxxxx_xxx01

or for the second example,
999900 20191025183334S617_0310130020571272600120541ConsultaLDAP 0000000000000000000000000000JB146000000000001 149029 3C0CFF0F|0000000000D9
the event ID is "3002" which is the 4 digits after xxxx_xxx01.

the event ID begins with 01.

mayurr98 · ‎11-06-2019

best of extracting is regex. Please give us sample input.

wyvivianho · ‎11-08-2019

here is the sample input:

054100172.23.47.142 20191025183818S617_0310120060387212200090541SEG_EAltaSesOpe 0000000000000000000000000000JR388400000000000 C200-025C96D22DA|1010000000D9

or

999900 20191025183334S617_0310130020571272600120541ConsultaLDAP 0000000000000000000000000000JB146000000000001 149029 3C0CFF0F|0000000000D9

trying to extract the eventID that is after _031*01XXXX*

mayurr98 · ‎11-08-2019

okay, can you tell me whats the eventID? what to extract from both the events?

vivianhowy18 · ‎11-11-2019

for example, for the first event,
054100172.23.47.142 20191025183818S617_0310120060387212200090541SEG_EAltaSesOpe 0000000000000000000000000000JR388400000000000 C200-025C96D22DA|1010000000D9, the event ID is the 43th -46th digits (4 digits) "2006" after xxxxx_xxx01

or for the second example,
999900 20191025183334S617_0310130020571272600120541ConsultaLDAP 0000000000000000000000000000JB146000000000001 149029 3C0CFF0F|0000000000D9
the event ID is "3002" which is the 4 digits after xxxx_xxx01.

the event ID begins with 01.

Extracting a string of numbers from log file and tabulate the data

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases