Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Help with some basic REGEX please?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
pir8radio
Path Finder
10-21-2019
08:06 PM
In this string: Version=\x221.7.53a\x22
I want to capture everything in between \x22 and \x22 so the result on this string would be 1.7.53a
but some other strings could look like Version=\x224.3.0.15\x22 the result should be 4.3.0.15
there are other fields like user=\x22username\x22 that i dont care about, just the version=\x22.........\x22
Any help would be appreciated.
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
arjunpkishore5
Motivator
10-29-2019
04:59 AM
Based on the data you posted in @richgalloway Answer, it looks like there are no field extractions on your data. so this is what you probably need
| rex field=_raw "Version=\\x22(?<version>[^\\]+)\\x22"
If you do have field extractions, @richgalloway 's answer is right except for a small error. there's a missing x at the end. so this is what you need. I posted this as a comment on his answer. If this work's, Please upvote his answer and mark this as the answer
| rex field=Version "\\x22(?<version>[^\\]+)\\x22"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
wenthold
Communicator
10-30-2019
01:21 PM
Escaping backlashes with rex is strange. You could use three slashes:
| rex field=_raw "Version=\\\x22(?<Version>.*?)\\\x"
or use \x5c:
| rex field=_raw "Version=\x5cx22(?<Version>.*?)\x5cx"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
arjunpkishore5
Motivator
10-29-2019
04:59 AM
Based on the data you posted in @richgalloway Answer, it looks like there are no field extractions on your data. so this is what you probably need
| rex field=_raw "Version=\\x22(?<version>[^\\]+)\\x22"
If you do have field extractions, @richgalloway 's answer is right except for a small error. there's a missing x at the end. so this is what you need. I posted this as a comment on his answer. If this work's, Please upvote his answer and mark this as the answer
| rex field=Version "\\x22(?<version>[^\\]+)\\x22"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jawahir007
Communicator
10-22-2019
06:44 AM
try this : | rex field=Version "\\x22(?<version>.*)\\x22"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
richgalloway
SplunkTrust
10-21-2019
11:07 PM
At search time, you can use | rex field=Version "\\x22(?<version>[^\\]+)\\22".
---
If this reply helps you, Karma would be appreciated.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
arjunpkishore5
Motivator
10-29-2019
03:32 AM
I think you meant | rex field=Version "\\x22(?<version>[^\\]+)\\x22"
You missed the x at the end 😉
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
pir8radio
Path Finder
10-28-2019
06:49 PM
either I'm using this incorrectly, or its not working, here is the full string in the database:
172.69.63.125 - - [28/Oct/2019:20:40:58 -0500] "POST /emby/Sessions/Playing/Progress HTTP/1.1" 204 0 "-" "Dalvik/2.1.0 (Linux; U; Android 7.1.2; AFTMM Build/NS6266)" "2601:243:ca80:35ce:31dc:3f3f:5f8e:3718
forwarded_for
" 0.042 443 "MediaBrowser Client=\x22AndroidTv\x22, DeviceId=\x22dec6c5313ff588a2\x22, Device=\x22Bedroom TV\x22, Version=\x221.7.53a\x22, UserId=\x22e76db24xxxxxxxxxxxxd7a988641618\x22"
i want to extract a Field using regex, i would like out of the above string "1.7.53a" for field Version Various versions exist, one could be 4.3.0.15 or 1.7.53 or 1.7.53a etc... so basically in the above access log i want to grab that version field and get rid of the \x22 on each side of the version number.
Get Updates on the Splunk Community!
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
What are Community Office Hours?Community Office Hours is an interactive 60-minute Zoom series where ...
It’s go time — Boston, here we come!
Are you ready to take your Splunk skills to the next level? Get set, because Splunk University is back, and ...
Performance Tuning the Platform, SPL2 Templates, and More New Articles on Splunk ...
Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...
