Splunk Search

How do I use regex to search a field for content?

digital_alchemy
Path Finder

I'm searching for specific GET requests for example:

GET /wddyr.php?id=41576619113845C1EE http/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

I want to pull out anything that matches this pattern:

{5characters}.php?id={6 random numbers}{12 characters}

The below Regex works but I can't figure out how implement it within Splunk.

[a-z,A-Z]{5}.php[?]id=[0-9]{6}[a-z,A-Z,0-9]{12}
Tags (3)
0 Karma
1 Solution

MuS
Legend

Hi digital_alchemy,

if you want to get everything into a field called for example getField use it in a search this way:

 your base search here | rex "(?<getField>[a-z,A-Z]{5}.php[?]id=[0-9]{6}[a-z,A-Z,0-9]{12})" | table getField

or split it into three different fields:

your base search here | rex "(?<getScript>[a-z,A-Z]{5}.php)[?]id=(?<getID>[0-9]{6})(?<getString>[a-z,A-Z,0-9]{12})" | table getScript getID getString

Hope this helps ...

cheers, MuS

View solution in original post

MuS
Legend

Hi digital_alchemy,

if you want to get everything into a field called for example getField use it in a search this way:

 your base search here | rex "(?<getField>[a-z,A-Z]{5}.php[?]id=[0-9]{6}[a-z,A-Z,0-9]{12})" | table getField

or split it into three different fields:

your base search here | rex "(?<getScript>[a-z,A-Z]{5}.php)[?]id=(?<getID>[0-9]{6})(?<getString>[a-z,A-Z,0-9]{12})" | table getScript getID getString

Hope this helps ...

cheers, MuS

Get Updates on the Splunk Community!

ATTENTION!! We’re MOVING (not really)

Hey, all! In an effort to keep this Slack workspace secure and also to make our new members' experience easy, ...

Splunk Admins: Build a Smarter Stack with These Must-See .conf25 Sessions

  Whether you're running a complex Splunk deployment or just getting your bearings as a new admin, .conf25 ...

AppDynamics Summer Webinars

This summer, our mighty AppDynamics team is cooking up some delicious content on YouTube Live to satiate your ...