Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to parse hash code from a raw log into a field

kjebaker3
New Member
‎06-27-2018 09:55 AM

Mail_Log_Splunk: Info: MID 119972447 SHA ee1b5fe97eb813f416052526bc191f3112382a7e9638fba3a3ed2652acf81d5a filename Pics meeting pagoda.doc queued for possible file analysis upload

What is the regex to parse the bold section out of a raw log?

Tags (1)
0 Karma
Reply

woodcock
Esteemed Legend
‎06-30-2018 08:55 PM

Like this:

... |  rex "SHA (?<hash>\S+)"
0 Karma
Reply

kjebaker3
New Member
‎06-28-2018 10:13 AM

Thank you, for your answers! How would I make this into a field extraction?

0 Karma
Reply

cpetterborg
SplunkTrust
SplunkTrust
‎06-28-2018 12:45 PM

At search time, or index time? BTW, Splunk best practice is at search time.

0 Karma
Reply

kjebaker3
New Member
‎06-29-2018 06:51 AM

At search time. I need to use a Data Model that contains fields that are currently not being parsed from the raw logs. I ran the regex and it worked so now I need this to be a field extraction that I can add to an app that the Data Model uses.

0 Karma
Reply

cpetterborg
SplunkTrust
SplunkTrust
‎06-29-2018 12:10 PM

Create a field extraction by going to Settings -> Fields -> Field Extractions -> New Field Extraction.

Then you fill in the form and use the regex in the Extraction/Transform field of the form.

0 Karma
Reply

niketn
Legend
‎07-01-2018 06:14 AM

@kjebaker3, refer to the following documentation for Field Extraction using IFX. You can override the automatic regular expression with your custom regular expression in the guided wizard: http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/ExtractfieldsinteractivelywithIFX

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

cpetterborg
SplunkTrust
SplunkTrust
‎06-27-2018 12:11 PM

Something like this "run-anywhere" example should work for the case you provide:

| makeresults
| eval _raw="Mail_Log_Splunk: Info: MID 119972447 SHA ee1b5fe97eb813f416052526bc191f3112382a7e9638fba3a3ed2652acf81d5a" 
| rex "SHA (?<hash>[a-f0-9]+)"
Reply

niketn
Legend
‎06-27-2018 07:34 PM

@kjebaker3 adding a raw event sample would help for us to identify correct regular expression pattern. Assuming SHA # will be followed by a space character (SHA will not have space in it), you can try the following regex on your _raw events:

<yourSearch>
| rex "SHA (?<hash>[^\s]+)\s"

@cpetterborg, slightly changed your Regex. Not sure of exact pattern until complete event can be posted.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Get Updates on the Splunk Community!

The OpenTelemetry Certified Associate (OTCA) Exam

What’s this OTCA exam? The Linux Foundation offers the OpenTelemetry Certified Associate (OTCA) credential to ...

From Manual to Agentic: Level Up Your SOC at Cisco Live

Welcome to the Era of the Agentic SOC   Are you tired of being a manual alert responder? The security ...

Splunk Classroom Chronicles: Training Tales and Testimonials (Episode 4)

Welcome back to Splunk Classroom Chronicles, our ongoing series where we shine a light on what really happens ...