Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to parse hash code from a raw log into a field

kjebaker3
New Member
‎06-27-2018 09:55 AM

Mail_Log_Splunk: Info: MID 119972447 SHA ee1b5fe97eb813f416052526bc191f3112382a7e9638fba3a3ed2652acf81d5a filename Pics meeting pagoda.doc queued for possible file analysis upload

What is the regex to parse the bold section out of a raw log?

Tags (1)
0 Karma
Reply

woodcock
Esteemed Legend
‎06-30-2018 08:55 PM

Like this:

... |  rex "SHA (?<hash>\S+)"
0 Karma
Reply

kjebaker3
New Member
‎06-28-2018 10:13 AM

Thank you, for your answers! How would I make this into a field extraction?

0 Karma
Reply

cpetterborg
SplunkTrust
SplunkTrust
‎06-28-2018 12:45 PM

At search time, or index time? BTW, Splunk best practice is at search time.

0 Karma
Reply

kjebaker3
New Member
‎06-29-2018 06:51 AM

At search time. I need to use a Data Model that contains fields that are currently not being parsed from the raw logs. I ran the regex and it worked so now I need this to be a field extraction that I can add to an app that the Data Model uses.

0 Karma
Reply

cpetterborg
SplunkTrust
SplunkTrust
‎06-29-2018 12:10 PM

Create a field extraction by going to Settings -> Fields -> Field Extractions -> New Field Extraction.

Then you fill in the form and use the regex in the Extraction/Transform field of the form.

0 Karma
Reply

niketn
Legend
‎07-01-2018 06:14 AM

@kjebaker3, refer to the following documentation for Field Extraction using IFX. You can override the automatic regular expression with your custom regular expression in the guided wizard: http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/ExtractfieldsinteractivelywithIFX

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

cpetterborg
SplunkTrust
SplunkTrust
‎06-27-2018 12:11 PM

Something like this "run-anywhere" example should work for the case you provide:

| makeresults
| eval _raw="Mail_Log_Splunk: Info: MID 119972447 SHA ee1b5fe97eb813f416052526bc191f3112382a7e9638fba3a3ed2652acf81d5a" 
| rex "SHA (?<hash>[a-f0-9]+)"
Reply

niketn
Legend
‎06-27-2018 07:34 PM

@kjebaker3 adding a raw event sample would help for us to identify correct regular expression pattern. Assuming SHA # will be followed by a space character (SHA will not have space in it), you can try the following regex on your _raw events:

<yourSearch>
| rex "SHA (?<hash>[^\s]+)\s"

@cpetterborg, slightly changed your Regex. Not sure of exact pattern until complete event can be posted.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...