All Apps and Add-ons

Regex to extract separate hashes from Hashes fields?

evallja
Path Finder

Hello,

I want to extract 4 fields using regex with their respective names in bold and their respective values as per below:

Hashes="SHA1=27EFA81247501EBA6603842F476C899B5DAAB8C7,MD5=49E93FA14D4E09AAFD418AB616AD1BB1,SHA256=35E3F44C587DE8BFF62095E768C77E12E2C522FB7EFD038FFFCC0DD2AE960A57,IMPHASH=B7A4477FA36E2E5287EE76AC4AFCB05B"

The actual field name is "Hashes", I want to extract one field named SHA1 with the value "27EFA81247501EBA6603842F476C899B5DAAB8C7", one field named MD5 with the value "49E93FA14D4E09AAFD418AB616AD1BB1" etc.

Thank you in advance.

Labels (1)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust
| rex field=Hashes "SHA1=(?<sha1>[^,]+),MD5=(?<md5>[^,]+),SHA256=(?<sha256>[^,]+),IMPHASH=(?<imphash>.*)"

View solution in original post

ITWhisperer
SplunkTrust
SplunkTrust
| rex field=Hashes "SHA1=(?<sha1>[^,]+),MD5=(?<md5>[^,]+),SHA256=(?<sha256>[^,]+),IMPHASH=(?<imphash>.*)"
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...