Skip to content

Splunk Practice Exercise 13: Extracting Fields Using rex

Introduction

This practice exercise focuses on extracting a new field Browser/Version using the rex command in Splunk.

Step 1: Access Splunk Web

  1. Open your web browser and navigate to Splunk Web:

    http://<your server ip>:8000

  2. Log in using your credentials.

Step 2: Navigate to Search & Reporting App

  1. In the Splunk Web interface, go to the Search & Reporting app.

Step 3: Extract Field Using rex

  1. In the search bar, enter the following search query:

    index=tutorial useragent=* | rex field=useragent "^(?<BrowserVersion>[^\s]+)"

    This will create a new field BrowserVersion that contains the unique browsers amongst the results.

  2. Verify the new field creation under INTERESTING FIELDS like below.

browserversion

Note: You can select a field by clicking the All Fields in the same screeshot above. This is so you can see that useragent in the events output.

Step 4: View results in table form

  1. In this step we can refer to the newly created field to be piped onto the query. In the search bar, enter the following search query:

    index=tutorial useragent=* | rex field=useragent "^(?<BrowserVersion>[^\s]+)" | stats count by BrowserVersion

  2. Output should look like the following:

browsertable

Conclusion

Congratulations! You have successfully completed the practice exercise, extracting unique browser/version information from the useragent field in Splunk. This skill is useful for understanding the diversity of browsers and versions in your log data. Continue to explore and experiment with different extraction scenarios to enhance your Splunk skills.