Solved: Re: Extract Fields Using RegEx

kramsay · ‎01-30-2014

I am having trouble trying to parse data from a raw event line.

The raw event come in 2 different ways further below using the following regex info

(?i)^(?:[^^]*^){2}(?P[^^]+)

The issue is some have ^ and others %5E is there a way to capture both in the extraction?

[30/Jan/2014:04:59:58 +0000] "GET /t25f.png?Starcom_CrystalLight_CrystalLight_BS_Visor1_3023150_5184568%5E5184568%5E23255909%5E3098598 HTTP/1.1" 200 h://cms.springboard.gorillanation.com/embed_iframe/1085/video/854883/tjbr001/thejasminebrand.com/10"

&

[30/Jan/2014:04:59:59 +0000] "GET /s75t.png?Starcom_ChrystalLight_ChrystalLight_CU_Visor1_3023150_5170050^5170050^23244639^2844787^^NoOfSlates=1^CurrentSlate=1 HTTP/1.1" 200 h://www.pch.com/entryintervid?crmN=2014JanTVPC1En"

Thanks you all for any help.

somesoni2 · ‎01-30-2014

Try this workaround

your base search ..| eval new_raw=replace(_raw,"%5E","^")| rex field=new_raw "(?i)^(?:[^(\^)]*(\^)){2}(?P<bannerid>[^\^]+)"

View solution in original post

David · ‎01-30-2014

This regex seems to work well on regexr:

GET(?:.*?(?:\^|%5E)){2}(?<bannerid>.*?)(?:\^|%5E)

Does that get you what you're looking for?

somesoni2 · ‎01-30-2014

Try this workaround

your base search ..| eval new_raw=replace(_raw,"%5E","^")| rex field=new_raw "(?i)^(?:[^(\^)]*(\^)){2}(?P<bannerid>[^\^]+)"

kramsay · ‎01-30-2014

Yes you are correct.

kristian_kolb · ‎01-30-2014

Am I correct in guessing that you want to extract

- 23255909 from the first event
- 23244639 from the second event

Extract Fields Using RegEx

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Automating Threat Operations and Threat Hunting with Recorded Future

Keep the Learning Going with the New Best of .conf Hub

Splunk Community Badges!

Join the Conversation