When you are debugging an application, you may need to extract some data from logs (like an id in an URI...).
To help you to do that, Splunk has the rex command.
How does it work?
Command
The simpliest way to use it is
| rex regex
With this command, you will search for an element in the whole log.
If you want to search in a specific field, add field= and the name of your field.
| rex field= regex
example
| rex field=uri *regex*
Regex
About how to write the regex, you have to follow the next pattern
[Regex about the text before the desired value][Regex about the desired value][Regex about the text after the desired value]
The first and the last part are really look like a classic regex.
But the middle part is a little bit particular.
(?\w+)
Wrote like this, you will declare the field where you want insert your new data and you have the regex corresponding to your value.
Also you can retrieve multiple datas from a single rex command.
Examples
Retrieve a username
| rex "user\s(?<username>\w+)\s"
Retrieve the email sender and the destination of a mail
| rex field=_raw "From: <(?<from>.*)> To: <(?<to>.*)>"
Links
I hope it will help you! ๐บ
Top comments (0)