Hi everyone,
I'm struggling to find a REGEX to extract 2 value from my events.
I got events like this :
2019-05-02 07:26:07.283;2019-05-02 05:26:07.283;2019-05-02 07:26:07.283;LOOKINGFORACTION;TO;SOMESTRING;FROM;SOMESTRING;MSG [223];\x00;0 22 0 0 0 0 0 8 0 0 0 0 0 0 0 2 FC 3E ;\x00;\x00;\x00;0;0
I was looking for a REGEX to extract this two values :
0 2 2 0 0 0 0 0 8 0 0 0 0 0 0 0 2 FC 3E
and
0 2 2 0 0 0 0 0 8 0 0 0 0 0 0 0 2 FC 3E
But I don't know how write the right REGEX.
Thank you for reading and thank you in advance for your answers.
Hi @le_barbucheron,
Is this what you are looking for.
Edit: Updated the regex in the link for two possible cases you mentioned
Also,
Heres the search in Splunk which will work exactly like shown in the link:
| makeresults count=1
| eval _raw = "2019-05-02 07:26:07.283;2019-05-02 05:26:07.283;2019-05-02 07:26:07.283;LOOKINGFORACTION;TO;SOMESTRING;FROM;SOMESTRING;MSG [223];\x00;0 22 0 0 0 0 0 8 0 0 0 0 0 0 0 2 FC 3E ;\x00;\x00;\x00;0;0"
| rex field=_raw "\\\\\w\d\d;\d\s(?<first>\d)(?<second>[1-9]|\s\d)"
// with space example
| makeresults count=1
| eval _raw = "2019-05-02 07:26:07.283;2019-05-02 05:26:07.283;2019-05-02 07:26:07.283;LOOKINGFORACTION;TO;SOMESTRING;FROM;SOMESTRING;MSG [223];\x00;0 0 4 0 0 0 0 0 0 8 0 0 0 0 0 0 0 2 FC 3E ;\x00;\x00;\x00;0;0"
| rex field=_raw "\\\\\w\d\d;\d\s(?<first>\d)(?<second>[1-9]|\s\d)"
Thank you everybody, I think i'm going to use the regex wrote by @martynoconnor with the fillnull command to place the "0" values skipped,
Again, thank you so much !
Did you accept the right one? Did you mention the wrong person in this comment?
Like this:
... | rex "([\d,a-f,A-F]+\s+)(?<f1>[\d,a-f,A-F]+)\s+(?<f2>[\d,a-f,A-F]+)\s+([\d,a-f,A-F]+\s+){15}"
O, here is a little bit different take...
^(.*;){9}\d\s(?P<Field1>\d)(?P<Field2>\d)
I just noticed the data in gcusello's session in regex101 is different than the data provided in the post above. There is a space between the two fields to be captured gcusello's session in regex101. Does the original data have variances like this or is it consistently one way or the other?
Their is no space between the two value I need to extract, they'll always be grouped like my example
Oops sorry i was wrong, when the value of the field are different of 0 their is no space but when the first are the second are at 0 their is a space, like this :
0 4 0 0 0 0 0 0 8 0 0 0 0 0 0 0 2 D8 B0
0 44 0 0 0 0 0 8 0 0 0 0 0 0 0 2 D8 B0
So theres two possibilities in your data?
It can be 0 4 0 0 0 0 0 0 8 0 0 0 0 0 0 0 2 D8 B0
OR 0 44 0 0 0 0 0 8 0 0 0 0 0 0 0 2 D8 B0
Am I right?
yes their is this two possibilities and your expression :
"\\\\x\d\d;\d\s(?<first>\d)(?<second>\d)"
Work very well !!! thank you so much !
Can you please re-send it so i can accept it ? 🙂
Sorry, guys I don't know why I didn't get any notifications of your reply,
Here's some more samples :
2019-05-02 08:29:05.225;2019-05-02 08:29:05.225;2019-05-02 07:29:05.225;LOOKINGFORACTION;TO;SOMESTRING;FROM;SOMESTRING;MSG [223];\x00;5 52 0 0 0 0 0 8 0 0 0 0 0 0 0 2 FC 3E ;\x00;\x00;\x00;0;0
2019-05-03 09:32:12.552;2019-05-03 09:32:12.552;2019-05-02 09:32:12.552;LOOKINGFORACTION;TO;SOMESTRING;FROM;SOMESTRING;MSG [223];\x00;1 73 0 0 0 0 0 8 0 0 0 0 0 0 0 C CD 39 ;\x00;\x00;\x00;0;0
2019-05-03 10:17:15.355;2019-05-03 10:17:15.355;2019-05-03 10:32:15.355;LOOKINGFORACTION;TO;SOMESTRING;FROM;SOMESTRING;MSG [223];\x00;0 02 0 0 0 0 0 8 0 0 0 0 0 0 0 1 89 10 ;\x00;\x00;\x00;0;0
2019-05-03 11:16:03.012;2019-05-03 11:16:03.012;2019-05-03 11:16:06.012;LOOKINGFORACTION;TO;SOMESTRING;FROM;SOMESTRING;MSG [223];\x00;0 40 0 0 0 0 0 8 0 0 0 0 0 0 0 2 D8 B0 ;\x00;\x00;\x00;0;0
I tried the 3 propositions you made me and only the expression writed by @martynoconnor get me a result but this result return me an empty value when the first number extracted is "0"
Thank you for your answers ! 🙂
Hi le_barbucheron,
let me understand: do youi want the second numeric value in a field and the third one in another field?
If this is your need, try something like this
^([^;]*;){10}\d\s(?P<Field1>\d)\s(?P<Field2>\d)
You can test it at https://regex101.com/r/7SRUfz/2
Bye.
Giuseppe
I'd need to see more sample events to ensure this regex isn't too focused on one event, but this works:
x00;\d\s(?<capturegroup1>\d)(?<capturegroup2>\d)
Please post an additional sample,
are the values you are showing only going to contain values between 0 and 9? Your original event has 22 instead of 2 2
Hi @le_barbucheron,
Is this what you are looking for.
Edit: Updated the regex in the link for two possible cases you mentioned
Also,
Heres the search in Splunk which will work exactly like shown in the link:
| makeresults count=1
| eval _raw = "2019-05-02 07:26:07.283;2019-05-02 05:26:07.283;2019-05-02 07:26:07.283;LOOKINGFORACTION;TO;SOMESTRING;FROM;SOMESTRING;MSG [223];\x00;0 22 0 0 0 0 0 8 0 0 0 0 0 0 0 2 FC 3E ;\x00;\x00;\x00;0;0"
| rex field=_raw "\\\\\w\d\d;\d\s(?<first>\d)(?<second>[1-9]|\s\d)"
// with space example
| makeresults count=1
| eval _raw = "2019-05-02 07:26:07.283;2019-05-02 05:26:07.283;2019-05-02 07:26:07.283;LOOKINGFORACTION;TO;SOMESTRING;FROM;SOMESTRING;MSG [223];\x00;0 0 4 0 0 0 0 0 0 8 0 0 0 0 0 0 0 2 FC 3E ;\x00;\x00;\x00;0;0"
| rex field=_raw "\\\\\w\d\d;\d\s(?<first>\d)(?<second>[1-9]|\s\d)"
@le_barbucheron Try this 🙂
Cheers,
Harsh
Sure, I tried your answer but i don't know why this don't work on my events but this work perfectly on regex101
Can you please try this search and see if it works?
| makeresults count=1
| eval _raw = "2019-05-02 07:26:07.283;2019-05-02 05:26:07.283;2019-05-02 07:26:07.283;LOOKINGFORACTION;TO;SOMESTRING;FROM;SOMESTRING;MSG [223];\x00;0 22 0 0 0 0 0 8 0 0 0 0 0 0 0 2 FC 3E ;\x00;\x00;\x00;0;0"
| rex field=_raw "\\\\x\d\d;\d\s(?<first>\d)(?<second>\d)"