Splunk Search

How to create a regex to extract values from an event?

le_barbucheron
Path Finder

Hi everyone,

I'm struggling to find a REGEX to extract 2 value from my events.

I got events like this :

2019-05-02 07:26:07.283;2019-05-02 05:26:07.283;2019-05-02 07:26:07.283;LOOKINGFORACTION;TO;SOMESTRING;FROM;SOMESTRING;MSG [223];\x00;0 22 0 0 0 0 0 8 0 0 0 0 0 0 0 2 FC 3E ;\x00;\x00;\x00;0;0

I was looking for a REGEX to extract this two values :

0 2 2 0 0 0 0 0 8 0 0 0 0 0 0 0 2 FC 3E
and
0 2 2 0 0 0 0 0 8 0 0 0 0 0 0 0 2 FC 3E

But I don't know how write the right REGEX.

Thank you for reading and thank you in advance for your answers.

0 Karma
1 Solution

harshpatel
Contributor

Hi @le_barbucheron,

Is this what you are looking for.

Edit: Updated the regex in the link for two possible cases you mentioned
Also,
Heres the search in Splunk which will work exactly like shown in the link:

| makeresults count=1 
| eval _raw = "2019-05-02 07:26:07.283;2019-05-02 05:26:07.283;2019-05-02 07:26:07.283;LOOKINGFORACTION;TO;SOMESTRING;FROM;SOMESTRING;MSG [223];\x00;0 22 0 0 0 0 0 8 0 0 0 0 0 0 0 2 FC 3E ;\x00;\x00;\x00;0;0" 
| rex field=_raw "\\\\\w\d\d;\d\s(?<first>\d)(?<second>[1-9]|\s\d)"

// with space example


| makeresults count=1 
| eval _raw = "2019-05-02 07:26:07.283;2019-05-02 05:26:07.283;2019-05-02 07:26:07.283;LOOKINGFORACTION;TO;SOMESTRING;FROM;SOMESTRING;MSG [223];\x00;0 0 4 0 0 0 0 0 0 8 0 0 0 0 0 0 0 2 FC 3E ;\x00;\x00;\x00;0;0" 
| rex field=_raw "\\\\\w\d\d;\d\s(?<first>\d)(?<second>[1-9]|\s\d)"

View solution in original post

le_barbucheron
Path Finder

Thank you everybody, I think i'm going to use the regex wrote by @martynoconnor with the fillnull command to place the "0" values skipped,

Again, thank you so much !

0 Karma

woodcock
Esteemed Legend

Did you accept the right one? Did you mention the wrong person in this comment?

0 Karma

woodcock
Esteemed Legend

Like this:

... | rex "([\d,a-f,A-F]+\s+)(?<f1>[\d,a-f,A-F]+)\s+(?<f2>[\d,a-f,A-F]+)\s+([\d,a-f,A-F]+\s+){15}"

mydog8it
Builder

O, here is a little bit different take...

^(.*;){9}\d\s(?P<Field1>\d)(?P<Field2>\d)

mydog8it
Builder

I just noticed the data in gcusello's session in regex101 is different than the data provided in the post above. There is a space between the two fields to be captured gcusello's session in regex101. Does the original data have variances like this or is it consistently one way or the other?

0 Karma

le_barbucheron
Path Finder

Their is no space between the two value I need to extract, they'll always be grouped like my example

0 Karma

le_barbucheron
Path Finder

Oops sorry i was wrong, when the value of the field are different of 0 their is no space but when the first are the second are at 0 their is a space, like this :

0 4 0 0 0 0 0 0 8 0 0 0 0 0 0 0 2 D8 B0
0 44 0 0 0 0 0 8 0 0 0 0 0 0 0 2 D8 B0

0 Karma

harshpatel
Contributor

So theres two possibilities in your data?
It can be 0 4 0 0 0 0 0 0 8 0 0 0 0 0 0 0 2 D8 B0
OR 0 44 0 0 0 0 0 8 0 0 0 0 0 0 0 2 D8 B0

Am I right?

0 Karma

le_barbucheron
Path Finder

yes their is this two possibilities and your expression :

"\\\\x\d\d;\d\s(?<first>\d)(?<second>\d)"

Work very well !!! thank you so much !

Can you please re-send it so i can accept it ? 🙂

0 Karma

le_barbucheron
Path Finder

Sorry, guys I don't know why I didn't get any notifications of your reply,

Here's some more samples :

     2019-05-02 08:29:05.225;2019-05-02 08:29:05.225;2019-05-02 07:29:05.225;LOOKINGFORACTION;TO;SOMESTRING;FROM;SOMESTRING;MSG [223];\x00;5 52 0 0 0 0 0 8 0 0 0 0 0 0 0 2 FC 3E ;\x00;\x00;\x00;0;0

     2019-05-03 09:32:12.552;2019-05-03 09:32:12.552;2019-05-02 09:32:12.552;LOOKINGFORACTION;TO;SOMESTRING;FROM;SOMESTRING;MSG [223];\x00;1 73 0 0 0 0 0 8 0 0 0 0 0 0 0 C CD 39 ;\x00;\x00;\x00;0;0

     2019-05-03 10:17:15.355;2019-05-03 10:17:15.355;2019-05-03 10:32:15.355;LOOKINGFORACTION;TO;SOMESTRING;FROM;SOMESTRING;MSG [223];\x00;0 02 0 0 0 0 0 8 0 0 0 0 0 0 0 1 89 10 ;\x00;\x00;\x00;0;0

     2019-05-03 11:16:03.012;2019-05-03 11:16:03.012;2019-05-03 11:16:06.012;LOOKINGFORACTION;TO;SOMESTRING;FROM;SOMESTRING;MSG [223];\x00;0 40 0 0 0 0 0 8 0 0 0 0 0 0 0 2 D8 B0 ;\x00;\x00;\x00;0;0

I tried the 3 propositions you made me and only the expression writed by @martynoconnor get me a result but this result return me an empty value when the first number extracted is "0"

Thank you for your answers ! 🙂

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi le_barbucheron,
let me understand: do youi want the second numeric value in a field and the third one in another field?

If this is your need, try something like this

^([^;]*;){10}\d\s(?P<Field1>\d)\s(?P<Field2>\d)

You can test it at https://regex101.com/r/7SRUfz/2

Bye.
Giuseppe

0 Karma

martynoconnor
Communicator

I'd need to see more sample events to ensure this regex isn't too focused on one event, but this works:

x00;\d\s(?<capturegroup1>\d)(?<capturegroup2>\d)

martinpu
Communicator

Please post an additional sample,
are the values you are showing only going to contain values between 0 and 9? Your original event has 22 instead of 2 2

harshpatel
Contributor

Hi @le_barbucheron,

Is this what you are looking for.

Edit: Updated the regex in the link for two possible cases you mentioned
Also,
Heres the search in Splunk which will work exactly like shown in the link:

| makeresults count=1 
| eval _raw = "2019-05-02 07:26:07.283;2019-05-02 05:26:07.283;2019-05-02 07:26:07.283;LOOKINGFORACTION;TO;SOMESTRING;FROM;SOMESTRING;MSG [223];\x00;0 22 0 0 0 0 0 8 0 0 0 0 0 0 0 2 FC 3E ;\x00;\x00;\x00;0;0" 
| rex field=_raw "\\\\\w\d\d;\d\s(?<first>\d)(?<second>[1-9]|\s\d)"

// with space example


| makeresults count=1 
| eval _raw = "2019-05-02 07:26:07.283;2019-05-02 05:26:07.283;2019-05-02 07:26:07.283;LOOKINGFORACTION;TO;SOMESTRING;FROM;SOMESTRING;MSG [223];\x00;0 0 4 0 0 0 0 0 0 8 0 0 0 0 0 0 0 2 FC 3E ;\x00;\x00;\x00;0;0" 
| rex field=_raw "\\\\\w\d\d;\d\s(?<first>\d)(?<second>[1-9]|\s\d)"

harshpatel
Contributor

@le_barbucheron Try this 🙂

Cheers,
Harsh

le_barbucheron
Path Finder

Sure, I tried your answer but i don't know why this don't work on my events but this work perfectly on regex101

0 Karma

harshpatel
Contributor

Can you please try this search and see if it works?

| makeresults count=1 
| eval _raw = "2019-05-02 07:26:07.283;2019-05-02 05:26:07.283;2019-05-02 07:26:07.283;LOOKINGFORACTION;TO;SOMESTRING;FROM;SOMESTRING;MSG [223];\x00;0 22 0 0 0 0 0 8 0 0 0 0 0 0 0 2 FC 3E ;\x00;\x00;\x00;0;0" 
| rex field=_raw "\\\\x\d\d;\d\s(?<first>\d)(?<second>\d)"
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...