Splunk Enterprise
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How do I create a Regex that doesn't contain random numbers or timestamps?

Kk
Path Finder
‎05-31-2022 11:59 PM

Hi All, I'm trying to find the credit card details in the logs with all in one regex expression. But I was also getting some other data too like timestamp data as it has more than 12digits and some random data. Just bit exhausted with this thing here. Is there any possible solution to find the credit card numbers directly that will not contains random numbers or time stamps. Help me with the query if possible.

Thanks in advance.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎06-01-2022 01:56 AM

https://regex101.com/r/eqLFaV/1 

| rex "card>.*?\D?(?<card>\d{16})\<card"

 

View solution in original post

Reply
Solved! Jump to solution

venky1544
Builder
‎06-01-2022 01:16 AM

Hi @Kk 

Better solution/suggestions can be provided if you paste some sample/dummy data 

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎06-01-2022 12:11 AM

With regex, it helps to identify some sort of anchor pattern e.g. "card=xxxx". If you don't have this, and you just want to look for strings of 16 digits for example

| rex "\D(?<possiblecard>\d{16})\D"
Reply
Solved! Jump to solution

Kk
Path Finder
‎06-01-2022 01:02 AM

Hi @ITWhisperer , actually we are having many anchor patterns to recognise the card details. Example like card>xxxx, text:xxx. So is their any way to find by using generic query?

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎06-01-2022 01:18 AM

Regex works with patterns - if you can define what you mean by generic as a pattern, then you might be able to do it in regex. For example, the "generic" pattern is my example is non-digit followed by 16 digits followed by another non-digit. If you know all the anchors you are expecting, you might be able to combine them into a single rex

| rex "(anchor1|anchor2|anchor3)(?<card>\d{16})\D"
Reply
Solved! Jump to solution

Kk
Path Finder
‎06-01-2022 01:50 AM

Yeah we can do in that way but in anchor tag we can't expect only card details. We have some other data too.

Example:

card>xxxxxxxxxx9787<card

card> this is so and so info xxxxxxxx9797<card.

So how can we search card details in these cases.

 

 

 

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎06-01-2022 01:56 AM

https://regex101.com/r/eqLFaV/1 

| rex "card>.*?\D?(?<card>\d{16})\<card"

 

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Observability Simplified: Combining User Experience, Application Performance & ...

Tech Talk Observability Simplified: Combining User Experience, Application Performance & Network ...

Event Series May & June: From Network Visibility to Service Intelligence

Unifying the Network: Moving from Alert Noise to Service Intelligence with Splunk ITSI In today’s hybrid ...

Global Splunk User Group Events: May + June 2026

Your Splunk Community Awaits: Discover Upcoming User Group Events Worldwide    Staying ahead in the fast-paced ...