Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Can someone help me with regex to remove HTML tags from fields?

ndsouza25
New Member
‎08-17-2018 12:55 PM

Hello,

Could someone please help me with removing the HTML tags from fields.

The data is a few sentences, such as remediation of a Microsoft patch, but contains links within.

This data is coming in through a lookup that I can't modify apparently. I'd like to get rid of the

etc tags so I can just display the text in a clear format.

Thank you!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

horsefez
Motivator
‎08-17-2018 11:42 PM

@ndsouza25

I worked on your second request which was a bit more difficult. But I managed to get it.

https://regex101.com/r/q5fPca/3

The SPL command would look something like this:
yourbasesearch | rex mode=sed field=_raw "s/((?=<[^>]>)[^;]+;[^;]+;|<[^>]>|<\/[^>]+>|<[^'"]+['"]|['"][^<]+<[^>]+>)//g"

you can change the field=_raw to another field name if you have already extracted this text into another field (optional)

View solution in original post

Reply
Solved! Jump to solution
Solution

horsefez
Motivator
‎08-17-2018 11:42 PM

@ndsouza25

I worked on your second request which was a bit more difficult. But I managed to get it.

https://regex101.com/r/q5fPca/3

The SPL command would look something like this:
yourbasesearch | rex mode=sed field=_raw "s/((?=<[^>]>)[^;]+;[^;]+;|<[^>]>|<\/[^>]+>|<[^'"]+['"]|['"][^<]+<[^>]+>)//g"

you can change the field=_raw to another field name if you have already extracted this text into another field (optional)

Reply
Solved! Jump to solution

horsefez
Motivator
‎08-17-2018 11:49 PM

unfortunately I had to delete the "KB43... " as well... as it would stick to the URL. Therefore making the URL invalid.

If you really need that "KB43..." value then hit me up again.

0 Karma
Reply
Solved! Jump to solution

ndsouza25
New Member
‎08-18-2018 01:57 PM

Thank you for spending the time! I don't need the KB values, but when I put the SPL command in, I get this error: Mismatched ']'. I see that the regex works, but can't figure out why Splunk complains about it.

0 Karma
Reply
Solved! Jump to solution

horsefez
Motivator
‎08-18-2018 05:08 PM

@ndsouza25 you are right, I fixed it 🙂

| rex mode=sed field=_raw "s/((?=<[^>]>)[^;]+;[^;]+;|<[^>]>|<\/[^>]+>|<[^\'\"]+[\'\"]|[\'\"][^<]+<[^>]+>)//g"

The problem was that I needed to escape " characters, as they interfere with the engine 🙂

Works now, tested it in splunk.

0 Karma
Reply
Solved! Jump to solution

ndsouza25
New Member
‎08-19-2018 12:13 AM

It works perfectly, thank you very much pyro_wood!

0 Karma
Reply
Solved! Jump to solution

horsefez
Motivator
‎08-17-2018 02:15 PM

I wrote a regex that can at least get you the raw text in the format you wanted (without the hyperlinks actually working)

yourbasesearch | rex mode=sed field=_raw "s/(<[^>]+>|(?<=P>)(?:[^;]+;)+)//g"

The result should look like this afterwards:
Customers are advised to follow KB4343902 for instructions pertaining to the remediation of these vulnerabilities. Following are links for downloading patches to fix the vulnerabilities: ADV180020

https://regex101.com/r/q5fPca/1

0 Karma
Reply
Solved! Jump to solution

ndsouza25
New Member
‎08-17-2018 07:28 PM

Thank you very much! This works great! Is it possible to still display the URL. I don't need it to work as a hyperlink, but just show up so someone can copy and paste it into a browser. I really appreciate the help and quick response!

0 Karma
Reply
Solved! Jump to solution

marycordova
SplunkTrust
SplunkTrust
‎08-17-2018 01:07 PM

please submit a sample of the data

@marycordova
Reply
Solved! Jump to solution

ndsouza25
New Member
‎08-17-2018 01:34 PM 
Customers are advised to follow <A HREF='https://support.microsoft.com/en-ph/help/4343902/security-update-for-adobe-flash-player' TARGET='_blank'>KB4343902</A> for instructions pertaining to the remediation of these vulnerabilities.<P> <P>Patch:&lt;br/&gt; Following are links for downloading patches to fix the vulnerabilities: <P> <A HREF='https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV180020' TARGET='_blank'>ADV180020</A>
0 Karma
Reply
Solved! Jump to solution

ndsouza25
New Member
‎08-17-2018 01:35 PM

Above is a sample of the data I get from our vulnerability system. I would like for it to read as such, but actually show the link URL instead of converting to a hyperlink:

Customers are advised to follow KB4343902 for instructions pertaining to the remediation of these vulnerabilities.

Patch: Following are links for downloading patches to fix the vulnerabilities:

ADV180020

0 Karma
Reply
Solved! Jump to solution

horsefez
Motivator
‎08-17-2018 02:00 PM

When I read "removing the html tags from fields" I immediately thought about regular expressions.
Unfortunately you don't seem to want to remove them. You want to create a hyperlink.

I'm not sure if I can help you with that. Sorry. 😞

P.S.: I'm not even sure if that is possible at all.

0 Karma
Reply
Solved! Jump to solution

horsefez
Motivator
‎08-17-2018 01:21 PM

Hi @ndsouza25 , as @marycordovacaa said please share some sample data... otherwise we won't be able to help you.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...