Solved: Regex help extracting session ID

reverse · ‎06-26-2019

10.249.68.17 0000*aJyyyQvMs5xIb7KGdRxRTl98AhhUNq0lMLQ8RQ8szjFp4gtHI:1cq4afaa*7 12.119.53.11 - - [26/Jun/2019:13:06:37 -0400] "GET /xx/yy?REQUESTED_PAGE_ID=yy&REQUESTED_ACTION=xd&FWPOPUP=Y&displayMode=1&FLUSH_VARIABLE=YES&EDIT_FLAG=YES&CASE_NUM=6003378547&CASE_SEQ_NUM=6632579&ROW_COUNT=0&token=Random HTTP/1.1" 200 10855 dyrwasp026tw.ca.us:21152

10.247.68.23 0000*a0000eSP3bbdcJvjHUckwzlySRnx3t2V080oU-eoDEJlAqbIz0u2_Y:1cq4af5jb* 17.119.53.11 - - [26/Jun/2019:13:06:37 -0400] "GET /xx/yy?REQUESTED_PAGE_ID=yy&REQUESTED_ACTION=xd&FWPOPUP=Y&displayMode=1&FLUSH_VARIABLE=YES&EDIT_FLAG=YES&CASE_NUM=6003378547&CASE_SEQ_NUM=6632579&ROW_COUNT=0&token=Random HTTP/1.1" 200 10855 dyrwasp026tw.ca.us:21152

aJyyyQvMs5xIb7KGdRxRTl98AhhUNq0lMLQ8RQ8szjFp4gtHI:1cq4afaa7
a0000eSP3bbdcJvjHUckwzlySRnx3t2V080oU-eoDEJlAqbIz0u2_Y:1cq4af5jb

How do I extract the bold part session id always?
Please help.

jnudell_2 · ‎06-26-2019

Hi @reverse
You can try this regex:

... [ your search stuff ] ...

| rex "^\S+\s+\d{4}\(?<session_id>[^\]+)\*"

Data without the asterisks (*):

... [ your search stuff ] ...

| rex "^\S+\s+\d{4}(?<session_id>[a-zA-Z0-9-_]+:[a-zA-Z0-9]+)\s"

If you know that the session id is ALWAYS preceded by four 0's, I would use this instead:

... [ your search stuff ] ...

| rex "^\S+\s+0000(?<session_id>[a-zA-Z0-9-_]+:[a-zA-Z0-9]+)\s"

View solution in original post

niketn · ‎06-26-2019

@reverse try the following rex command and confirm:

| rex "^[^\s]+\s(?<session_id>[^\s]+)\s"

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

reverse · ‎06-26-2019

Thanks @niketnilay .. but did not work ..
Please see here
regexr.com/4ggc2

jnudell_2 · ‎06-26-2019

Hi @reverse
You can try this regex:

... [ your search stuff ] ...

| rex "^\S+\s+\d{4}\(?<session_id>[^\]+)\*"

Data without the asterisks (*):

... [ your search stuff ] ...

| rex "^\S+\s+\d{4}(?<session_id>[a-zA-Z0-9-_]+:[a-zA-Z0-9]+)\s"

If you know that the session id is ALWAYS preceded by four 0's, I would use this instead:

... [ your search stuff ] ...

| rex "^\S+\s+0000(?<session_id>[a-zA-Z0-9-_]+:[a-zA-Z0-9]+)\s"

reverse · ‎06-26-2019

@jnudell_2 it gave me blanks in splunk..

https://regex101.com/r/vzbrqU/1

reverse · ‎06-26-2019

Thanks a ton Sir

reverse · ‎06-26-2019

Worked like a Charm ...Many thanks again! @jnudell_2

reverse · ‎06-26-2019

https://regex101.com/r/vzbrqU/2

reverse · ‎06-26-2019

@jnudell_2 I was trying to make it bold for highlighting purposes .. apologies for the confusion..
it appears that your answer is not updated..

jnudell_2 · ‎06-26-2019

Your sample included asterisk symbols, and your regex sample does not. If there are no asterisk symbols you would use a different regex. I have updated the answer.

reverse · ‎06-26-2019

@jnudell_2 Please guide.

@Vijeta Please guide.

Vijeta · ‎06-26-2019

@reverse Try this

rex field=_raw  "\d{2}.\d{3}.\d{2}.\d{2} 0000\*(?<id>\S+)\*"

reverse · ‎06-26-2019

hey @Vijeta thanks but no luck ..
Please see here
https://regex101.com/r/vzbrqU/3

Regex help extracting session ID

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases