topic Re: How to create a regex to extract values from an event? in Splunk Search

How to create a regex to extract values from an event?

le_barbucheron — Mon, 03 Jun 2019 08:22:29 GMT

Hi everyone,

I'm struggling to find a REGEX to extract 2 value from my events.

I got events like this :

2019-05-02 07:26:07.283;2019-05-02 05:26:07.283;2019-05-02 07:26:07.283;LOOKINGFORACTION;TO;SOMESTRING;FROM;SOMESTRING;MSG [223];\x00;0 22 0 0 0 0 0 8 0 0 0 0 0 0 0 2 FC 3E ;\x00;\x00;\x00;0;0

I was looking for a REGEX to extract this two values :

0 2 2 0 0 0 0 0 8 0 0 0 0 0 0 0 2 FC 3E
and
0 2 2 0 0 0 0 0 8 0 0 0 0 0 0 0 2 FC 3E

But I don't know how write the right REGEX.

Thank you for reading and thank you in advance for your answers.

Re: How to create a regex to extract values from an event?

harshpatel — Mon, 03 Jun 2019 12:14:17 GMT

Hi @le_barbucheron,

Is this what you are looking for.

Edit: Updated the regex in the link for two possible cases you mentioned
Also,
Heres the search in Splunk which will work exactly like shown in the link:

| makeresults count=1 
| eval _raw = "2019-05-02 07:26:07.283;2019-05-02 05:26:07.283;2019-05-02 07:26:07.283;LOOKINGFORACTION;TO;SOMESTRING;FROM;SOMESTRING;MSG [223];\x00;0 22 0 0 0 0 0 8 0 0 0 0 0 0 0 2 FC 3E ;\x00;\x00;\x00;0;0" 
| rex field=_raw "\\\\\w\d\d;\d\s(?<first>\d)(?<second>[1-9]|\s\d)"

// with space example


| makeresults count=1 
| eval _raw = "2019-05-02 07:26:07.283;2019-05-02 05:26:07.283;2019-05-02 07:26:07.283;LOOKINGFORACTION;TO;SOMESTRING;FROM;SOMESTRING;MSG [223];\x00;0 0 4 0 0 0 0 0 0 8 0 0 0 0 0 0 0 2 FC 3E ;\x00;\x00;\x00;0;0" 
| rex field=_raw "\\\\\w\d\d;\d\s(?<first>\d)(?<second>[1-9]|\s\d)"

Re: How to create a regex to extract values from an event?

martinpu — Mon, 03 Jun 2019 12:14:54 GMT

Please post an additional sample,
are the values you are showing only going to contain values between 0 and 9? Your original event has 22 instead of 2 2

Re: How to create a regex to extract values from an event?

martynoconnor — Mon, 03 Jun 2019 13:19:48 GMT

I'd need to see more sample events to ensure this regex isn't too focused on one event, but this works:

x00;\d\s(?<capturegroup1>\d)(?<capturegroup2>\d)

Re: How to create a regex to extract values from an event?

gcusello — Mon, 03 Jun 2019 13:31:56 GMT

Hi le_barbucheron,
let me understand: do youi want the second numeric value in a field and the third one in another field?

If this is your need, try something like this

^([^;]*;){10}\d\s(?P<Field1>\d)\s(?P<Field2>\d)

You can test it at https://regex101.com/r/7SRUfz/2

Bye.
Giuseppe

Re: How to create a regex to extract values from an event?

le_barbucheron — Wed, 05 Jun 2019 13:06:05 GMT

Sorry, guys I don't know why I didn't get any notifications of your reply,

Here's some more samples :

     2019-05-02 08:29:05.225;2019-05-02 08:29:05.225;2019-05-02 07:29:05.225;LOOKINGFORACTION;TO;SOMESTRING;FROM;SOMESTRING;MSG [223];\x00;5 52 0 0 0 0 0 8 0 0 0 0 0 0 0 2 FC 3E ;\x00;\x00;\x00;0;0

     2019-05-03 09:32:12.552;2019-05-03 09:32:12.552;2019-05-02 09:32:12.552;LOOKINGFORACTION;TO;SOMESTRING;FROM;SOMESTRING;MSG [223];\x00;1 73 0 0 0 0 0 8 0 0 0 0 0 0 0 C CD 39 ;\x00;\x00;\x00;0;0

     2019-05-03 10:17:15.355;2019-05-03 10:17:15.355;2019-05-03 10:32:15.355;LOOKINGFORACTION;TO;SOMESTRING;FROM;SOMESTRING;MSG [223];\x00;0 02 0 0 0 0 0 8 0 0 0 0 0 0 0 1 89 10 ;\x00;\x00;\x00;0;0

     2019-05-03 11:16:03.012;2019-05-03 11:16:03.012;2019-05-03 11:16:06.012;LOOKINGFORACTION;TO;SOMESTRING;FROM;SOMESTRING;MSG [223];\x00;0 40 0 0 0 0 0 8 0 0 0 0 0 0 0 2 D8 B0 ;\x00;\x00;\x00;0;0

I tried the 3 propositions you made me and only the expression writed by @martynoconnor get me a result but this result return me an empty value when the first number extracted is "0"

Thank you for your answers ! 🙂

Re: How to create a regex to extract values from an event?

le_barbucheron — Wed, 05 Jun 2019 13:37:33 GMT

Sure, I tried your answer but i don't know why this don't work on my events but this work perfectly on regex101

Re: How to create a regex to extract values from an event?

mydog8it — Wed, 05 Jun 2019 14:58:49 GMT

O, here is a little bit different take...

^(.*;){9}\d\s(?P<Field1>\d)(?P<Field2>\d)

Re: How to create a regex to extract values from an event?

mydog8it — Wed, 05 Jun 2019 15:16:17 GMT

I just noticed the data in gcusello's session in regex101 is different than the data provided in the post above. There is a space between the two fields to be captured gcusello's session in regex101. Does the original data have variances like this or is it consistently one way or the other?

Re: How to create a regex to extract values from an event?

woodcock — Wed, 05 Jun 2019 15:55:35 GMT

Like this:

... | rex "([\d,a-f,A-F]+\s+)(?<f1>[\d,a-f,A-F]+)\s+(?<f2>[\d,a-f,A-F]+)\s+([\d,a-f,A-F]+\s+){15}"

Re: How to create a regex to extract values from an event?

le_barbucheron — Thu, 06 Jun 2019 07:12:29 GMT

Their is no space between the two value I need to extract, they'll always be grouped like my example

Re: How to create a regex to extract values from an event?

le_barbucheron — Thu, 06 Jun 2019 08:34:17 GMT

Oops sorry i was wrong, when the value of the field are different of 0 their is no space but when the first are the second are at 0 their is a space, like this :

0 4 0 0 0 0 0 0 8 0 0 0 0 0 0 0 2 D8 B0
0 44 0 0 0 0 0 8 0 0 0 0 0 0 0 2 D8 B0

Re: How to create a regex to extract values from an event?

le_barbucheron — Thu, 06 Jun 2019 08:42:30 GMT

Thank you everybody, I think i'm going to use the regex wrote by @martynoconnor with the fillnull command to place the "0" values skipped,

Again, thank you so much !

Re: How to create a regex to extract values from an event?

harshpatel — Thu, 06 Jun 2019 10:14:41 GMT

Can you please try this search and see if it works?

| makeresults count=1 
| eval _raw = "2019-05-02 07:26:07.283;2019-05-02 05:26:07.283;2019-05-02 07:26:07.283;LOOKINGFORACTION;TO;SOMESTRING;FROM;SOMESTRING;MSG [223];\x00;0 22 0 0 0 0 0 8 0 0 0 0 0 0 0 2 FC 3E ;\x00;\x00;\x00;0;0" 
| rex field=_raw "\\\\x\d\d;\d\s(?<first>\d)(?<second>\d)"

Re: How to create a regex to extract values from an event?

harshpatel — Thu, 06 Jun 2019 11:40:58 GMT

So theres two possibilities in your data?
It can be 0 4 0 0 0 0 0 0 8 0 0 0 0 0 0 0 2 D8 B0
OR 0 44 0 0 0 0 0 8 0 0 0 0 0 0 0 2 D8 B0

Am I right?

Re: How to create a regex to extract values from an event?

le_barbucheron — Thu, 06 Jun 2019 11:50:56 GMT

yes their is this two possibilities and your expression :

"\\\\x\d\d;\d\s(?<first>\d)(?<second>\d)"

Work very well !!! thank you so much !

Can you please re-send it so i can accept it ? 🙂

Re: How to create a regex to extract values from an event?

harshpatel — Thu, 06 Jun 2019 11:59:58 GMT

@le_barbucheron Try this 🙂

Cheers,
Harsh

Re: How to create a regex to extract values from an event?

woodcock — Sun, 09 Jun 2019 21:49:16 GMT

Did you accept the right one? Did you mention the wrong person in this comment?