topic Re: Removing characters from output with rex in Splunk Search

Removing characters from output with rex

SplunkySplunk — Sun, 13 Sep 2020 13:49:16 GMT

I`m trying to remove a hash string from my output-
"Example hash is 3ernksMt7b3EzKwHuW4papuEFtvePZtDs9CQFeVYy57= will not be cracked"
As the hash is changing but has unique specifications, I'm trying to implement a rex rule to catch every event with this rule- "[a-zA-Z0-9]+="
Unfortunately, I've tried multiple solutions from the forum but non worked for this case.

I would also appreciate a reference to the documentation on this issue (Understanding each part of the rex command)

Re: Removing characters from output with rex

ITWhisperer — Sun, 13 Sep 2020 14:36:39 GMT

rex field=_raw mode=sed "s/[a-zA-Z0-9]+=//g"

This removes you hash from the _raw field - use a different field as appropriate. The sed command substitutes your pattern for nothing - you could replace it with something else. Note that this relies on there being a "=" at the end of the hash, which may or may not be true for all instances of your hashes. If it isn't true, you need a pattern the does match all your hashes or apply multiple rex commands to remove/replace hashes of different patterns

regex101.com is a good site to test regex expressions

Re: Removing characters from output with rex

thambisetty — Sun, 13 Sep 2020 15:30:32 GMT

Worth watching regular expressions in Splunk

https://youtu.be/LoiyiCVGLnw

Re: Removing characters from output with rex

SplunkySplunk — Sun, 13 Sep 2020 15:37:02 GMT

Thank you
That what made the trick