Solved: How do I use regex to search a field for content?

digital_alchemy · ‎10-28-2015

I'm searching for specific GET requests for example:

GET /wddyr.php?id=41576619113845C1EE http/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

I want to pull out anything that matches this pattern:

{5characters}.php?id={6 random numbers}{12 characters}

The below Regex works but I can't figure out how implement it within Splunk.

[a-z,A-Z]{5}.php[?]id=[0-9]{6}[a-z,A-Z,0-9]{12}

MuS · ‎10-28-2015

Hi digital_alchemy,

if you want to get everything into a field called for example getField use it in a search this way:

 your base search here | rex "(?<getField>[a-z,A-Z]{5}.php[?]id=[0-9]{6}[a-z,A-Z,0-9]{12})" | table getField

or split it into three different fields:

your base search here | rex "(?<getScript>[a-z,A-Z]{5}.php)[?]id=(?<getID>[0-9]{6})(?<getString>[a-z,A-Z,0-9]{12})" | table getScript getID getString

Hope this helps ...

cheers, MuS

MuS · ‎10-28-2015

Hi digital_alchemy,

if you want to get everything into a field called for example getField use it in a search this way:

 your base search here | rex "(?<getField>[a-z,A-Z]{5}.php[?]id=[0-9]{6}[a-z,A-Z,0-9]{12})" | table getField

or split it into three different fields:

your base search here | rex "(?<getScript>[a-z,A-Z]{5}.php)[?]id=(?<getID>[0-9]{6})(?<getString>[a-z,A-Z,0-9]{12})" | table getScript getID getString

Hope this helps ...

cheers, MuS

How do I use regex to search a field for content?