All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

extracting special characters using reg

royimad
Builder
‎05-08-2014 01:31 AM

I have a log file as the following

Event1: datetime1 any data xyz [macaddress]{2020-23233-23232-21123} any data { abc }
Event2: datetime2 any data abc [macaddress]{02:00:00:00:00} any data { [ hello ] }

In the middle of each event i have a macaddress name between [ ] and the macaddress value between {}
what is the regular expression that let me extract the macaddress value?

i'm trying this but it's not working search | rex "[macaddress]{(?)}"

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

MuS
SplunkTrust
SplunkTrust
‎05-08-2014 01:38 AM

Hi royimad,

try something like this:

your base search here | rex "\[(?<myadd>\w+)\]\{(?<myMAC>([\w\d]+[:-])+[\w\d]+)\}" | tabel myadd myMAC

and to match only the IEEE 802 standard you should use this regex

your base search here | rex "\[(?<myadd>\w+)\]\{(?<myMAC>([\w\d]+[:-]){5}[\w\d]+)\}" | tabel myadd myMAC

hope this helps ...

cheers, MuS

View solution in original post

Reply
Solved! Jump to solution
Solution

MuS
SplunkTrust
SplunkTrust
‎05-08-2014 01:38 AM

Hi royimad,

try something like this:

your base search here | rex "\[(?<myadd>\w+)\]\{(?<myMAC>([\w\d]+[:-])+[\w\d]+)\}" | tabel myadd myMAC

and to match only the IEEE 802 standard you should use this regex

your base search here | rex "\[(?<myadd>\w+)\]\{(?<myMAC>([\w\d]+[:-]){5}[\w\d]+)\}" | tabel myadd myMAC

hope this helps ...

cheers, MuS

Reply
Solved! Jump to solution

MuS
SplunkTrust
SplunkTrust
‎05-08-2014 02:32 AM

Maybe you should have a look at my App http://apps.splunk.com/app/1249 😉
to your question, this could be done using a lookup

0 Karma
Reply
Solved! Jump to solution

royimad
Builder
‎05-08-2014 02:26 AM

If i know exactly that myadd is equal to macaddress in all the case but not a random word how can i simplified this ?

0 Karma
Reply
Solved! Jump to solution

royimad
Builder
‎05-08-2014 02:25 AM

Perfect thank you.

0 Karma
Reply
Solved! Jump to solution

MuS
SplunkTrust
SplunkTrust
‎05-08-2014 02:18 AM

Hi dude,

well this is based on your provided information 😉 try this 

\[(?<myadd>\w+)\]\{(?<myMAC>([\w\d]+[:-])+[\w\d]+)\}

which works perfect in all of those different online regex testers

0 Karma
Reply
Solved! Jump to solution

royimad
Builder
‎05-08-2014 01:49 AM

Hello dude,

There are 2 different type of mac address either separated by : or either separated by - and not necessary contains digital letter a mac address could contain any characters other then special ( Your query is working for the mac address separated by : )

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...