Solved: Help needed capturing a regex and then grouping on...

mikeclemson · ‎10-24-2019

I have unstructured data that can vary, and I want to find results that match exactly 32 lowercase a-z characters, and then group based on that match. My field name is cs6, which includes an entire HTTP request. I see that my regex is quite simple, regex cs6="[a-z]{32}". How do I further extract this value and group on the occurrences to find out which of these is most common? These represent Chrome extension IDs.

The examples that I found seemed to require me to have a consistent prefix, which I won't have.

diogofgm · ‎10-24-2019

instead of |regex cs6="[a-z]{32}" use this: |rex field=cs6 "(?<extension_id>[a-z]{32})" | stats count by extension_id

------------
Hope I was able to help you. If so, some karma would be appreciated.

View solution in original post

diogofgm · ‎10-24-2019

instead of |regex cs6="[a-z]{32}" use this: |rex field=cs6 "(?<extension_id>[a-z]{32})" | stats count by extension_id

------------
Hope I was able to help you. If so, some karma would be appreciated.

mikeclemson · ‎10-25-2019

Thanks! I misunderstood the examples as thinking I needed the name, in your example extension_id, to exist in my actual data. I realize now I just make up whatever I want, making sure the entire thing is inside a capture group with parentheses.

diogofgm · ‎10-25-2019

yes 😉 I recommend checking regex101.com to test your regex patterns and learn more.

------------
Hope I was able to help you. If so, some karma would be appreciated.

Help needed capturing a regex and then grouping on it

Introducing the Splunk Community Dashboard Challenge!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...