Your Web News in One Place

Help Webnuz

Referal links:

Sign up for GreenGeeks web hosting
September 28, 2021 01:27 pm GMT

Splunk - Rex command

When you are debugging an application, you may need to extract some data from logs (like an id in an URI...).

To help you to do that, Splunk has the rex command.

How does it work?

Command

The simpliest way to use it is

| rex regex

With this command, you will search for an element in the whole log.

If you want to search in a specific field, add field= and the name of your field.

| rex field= regex

example

| rex field=uri *regex*

Regex

About how to write the regex, you have to follow the next pattern

[Regex about the text before the desired value][Regex about the desired value][Regex about the text after the desired value]

The first and the last part are really look like a classic regex.
But the middle part is a little bit particular.

(?\w+)

Wrote like this, you will declare the field where you want insert your new data and you have the regex corresponding to your value.

Also you can retrieve multiple datas from a single rex command.

Examples

Retrieve a username

| rex "user\s(?<username>\w+)\s"

Retrieve the email sender and the destination of a mail

| rex field=_raw "From: <(?<from>.*)> To: <(?<to>.*)>"

Links

I hope it will help you!


Original Link: https://dev.to/adaendra/splunk-rex-command-2c02

Share this article:    Share on Facebook
View Full Article

Dev To

An online community for sharing and discovering great ideas, having debates, and making friends

More About this Source Visit Dev To