Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to create a regex to extract values from an event?

le_barbucheron
Path Finder
‎06-03-2019 01:22 AM

Hi everyone,

I'm struggling to find a REGEX to extract 2 value from my events.

I got events like this : 

2019-05-02 07:26:07.283;2019-05-02 05:26:07.283;2019-05-02 07:26:07.283;LOOKINGFORACTION;TO;SOMESTRING;FROM;SOMESTRING;MSG [223];\x00;0 22 0 0 0 0 0 8 0 0 0 0 0 0 0 2 FC 3E ;\x00;\x00;\x00;0;0

I was looking for a REGEX to extract this two values :

0 2 2 0 0 0 0 0 8 0 0 0 0 0 0 0 2 FC 3E
and
0 2 2 0 0 0 0 0 8 0 0 0 0 0 0 0 2 FC 3E

But I don't know how write the right REGEX.

Thank you for reading and thank you in advance for your answers.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

harshpatel
Contributor
‎06-03-2019 05:14 AM

Hi @le_barbucheron,

Is this what you are looking for.

Edit: Updated the regex in the link for two possible cases you mentioned
Also,
Heres the search in Splunk which will work exactly like shown in the link:

| makeresults count=1 
| eval _raw = "2019-05-02 07:26:07.283;2019-05-02 05:26:07.283;2019-05-02 07:26:07.283;LOOKINGFORACTION;TO;SOMESTRING;FROM;SOMESTRING;MSG [223];\x00;0 22 0 0 0 0 0 8 0 0 0 0 0 0 0 2 FC 3E ;\x00;\x00;\x00;0;0" 
| rex field=_raw "\\\\\w\d\d;\d\s(?<first>\d)(?<second>[1-9]|\s\d)"

// with space example


| makeresults count=1 
| eval _raw = "2019-05-02 07:26:07.283;2019-05-02 05:26:07.283;2019-05-02 07:26:07.283;LOOKINGFORACTION;TO;SOMESTRING;FROM;SOMESTRING;MSG [223];\x00;0 0 4 0 0 0 0 0 0 8 0 0 0 0 0 0 0 2 FC 3E ;\x00;\x00;\x00;0;0" 
| rex field=_raw "\\\\\w\d\d;\d\s(?<first>\d)(?<second>[1-9]|\s\d)"

View solution in original post

Reply
Solved! Jump to solution

le_barbucheron
Path Finder
‎06-06-2019 01:42 AM

Thank you everybody, I think i'm going to use the regex wrote by @martynoconnor with the fillnull command to place the "0" values skipped,

Again, thank you so much !

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎06-09-2019 02:49 PM

Did you accept the right one? Did you mention the wrong person in this comment?

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎06-05-2019 08:55 AM

Like this:

... | rex "([\d,a-f,A-F]+\s+)(?<f1>[\d,a-f,A-F]+)\s+(?<f2>[\d,a-f,A-F]+)\s+([\d,a-f,A-F]+\s+){15}"
Reply
Solved! Jump to solution

mydog8it
Builder
‎06-05-2019 07:58 AM

O, here is a little bit different take...

^(.*;){9}\d\s(?P<Field1>\d)(?P<Field2>\d)
Reply
Solved! Jump to solution

mydog8it
Builder
‎06-05-2019 08:16 AM

I just noticed the data in gcusello's session in regex101 is different than the data provided in the post above. There is a space between the two fields to be captured gcusello's session in regex101. Does the original data have variances like this or is it consistently one way or the other?

0 Karma
Reply
Solved! Jump to solution

le_barbucheron
Path Finder
‎06-06-2019 12:12 AM

Their is no space between the two value I need to extract, they'll always be grouped like my example

0 Karma
Reply
Solved! Jump to solution

le_barbucheron
Path Finder
‎06-06-2019 01:34 AM

Oops sorry i was wrong, when the value of the field are different of 0 their is no space but when the first are the second are at 0 their is a space, like this :

0 4 0 0 0 0 0 0 8 0 0 0 0 0 0 0 2 D8 B0
0 44 0 0 0 0 0 8 0 0 0 0 0 0 0 2 D8 B0

0 Karma
Reply
Solved! Jump to solution

harshpatel
Contributor
‎06-06-2019 04:40 AM

So theres two possibilities in your data?
It can be 0 4 0 0 0 0 0 0 8 0 0 0 0 0 0 0 2 D8 B0
OR 0 44 0 0 0 0 0 8 0 0 0 0 0 0 0 2 D8 B0

Am I right?

0 Karma
Reply
Solved! Jump to solution

le_barbucheron
Path Finder
‎06-06-2019 04:50 AM

yes their is this two possibilities and your expression : 

"\\\\x\d\d;\d\s(?<first>\d)(?<second>\d)"

Work very well !!! thank you so much !

Can you please re-send it so i can accept it ? 🙂

0 Karma
Reply
Solved! Jump to solution

le_barbucheron
Path Finder
‎06-05-2019 06:06 AM

Sorry, guys I don't know why I didn't get any notifications of your reply,

Here's some more samples : 

     2019-05-02 08:29:05.225;2019-05-02 08:29:05.225;2019-05-02 07:29:05.225;LOOKINGFORACTION;TO;SOMESTRING;FROM;SOMESTRING;MSG [223];\x00;5 52 0 0 0 0 0 8 0 0 0 0 0 0 0 2 FC 3E ;\x00;\x00;\x00;0;0

     2019-05-03 09:32:12.552;2019-05-03 09:32:12.552;2019-05-02 09:32:12.552;LOOKINGFORACTION;TO;SOMESTRING;FROM;SOMESTRING;MSG [223];\x00;1 73 0 0 0 0 0 8 0 0 0 0 0 0 0 C CD 39 ;\x00;\x00;\x00;0;0

     2019-05-03 10:17:15.355;2019-05-03 10:17:15.355;2019-05-03 10:32:15.355;LOOKINGFORACTION;TO;SOMESTRING;FROM;SOMESTRING;MSG [223];\x00;0 02 0 0 0 0 0 8 0 0 0 0 0 0 0 1 89 10 ;\x00;\x00;\x00;0;0

     2019-05-03 11:16:03.012;2019-05-03 11:16:03.012;2019-05-03 11:16:06.012;LOOKINGFORACTION;TO;SOMESTRING;FROM;SOMESTRING;MSG [223];\x00;0 40 0 0 0 0 0 8 0 0 0 0 0 0 0 2 D8 B0 ;\x00;\x00;\x00;0;0

I tried the 3 propositions you made me and only the expression writed by @martynoconnor get me a result but this result return me an empty value when the first number extracted is "0"

Thank you for your answers ! 🙂

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎06-03-2019 06:31 AM

Hi le_barbucheron,
let me understand: do youi want the second numeric value in a field and the third one in another field?

If this is your need, try something like this

^([^;]*;){10}\d\s(?P<Field1>\d)\s(?P<Field2>\d)

You can test it at https://regex101.com/r/7SRUfz/2

Bye.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

martynoconnor
Communicator
‎06-03-2019 06:19 AM

I'd need to see more sample events to ensure this regex isn't too focused on one event, but this works:

x00;\d\s(?<capturegroup1>\d)(?<capturegroup2>\d)
Reply
Solved! Jump to solution

martinpu
Communicator
‎06-03-2019 05:14 AM

Please post an additional sample,
are the values you are showing only going to contain values between 0 and 9? Your original event has 22 instead of 2 2

Reply
Solved! Jump to solution
Solution

harshpatel
Contributor
‎06-03-2019 05:14 AM

Hi @le_barbucheron,

Is this what you are looking for.

Edit: Updated the regex in the link for two possible cases you mentioned
Also,
Heres the search in Splunk which will work exactly like shown in the link:

| makeresults count=1 
| eval _raw = "2019-05-02 07:26:07.283;2019-05-02 05:26:07.283;2019-05-02 07:26:07.283;LOOKINGFORACTION;TO;SOMESTRING;FROM;SOMESTRING;MSG [223];\x00;0 22 0 0 0 0 0 8 0 0 0 0 0 0 0 2 FC 3E ;\x00;\x00;\x00;0;0" 
| rex field=_raw "\\\\\w\d\d;\d\s(?<first>\d)(?<second>[1-9]|\s\d)"

// with space example


| makeresults count=1 
| eval _raw = "2019-05-02 07:26:07.283;2019-05-02 05:26:07.283;2019-05-02 07:26:07.283;LOOKINGFORACTION;TO;SOMESTRING;FROM;SOMESTRING;MSG [223];\x00;0 0 4 0 0 0 0 0 0 8 0 0 0 0 0 0 0 2 FC 3E ;\x00;\x00;\x00;0;0" 
| rex field=_raw "\\\\\w\d\d;\d\s(?<first>\d)(?<second>[1-9]|\s\d)"
Reply
Solved! Jump to solution

harshpatel
Contributor
‎06-06-2019 04:59 AM

@le_barbucheron Try this 🙂

Cheers,
Harsh

Reply
Solved! Jump to solution

le_barbucheron
Path Finder
‎06-05-2019 06:37 AM

Sure, I tried your answer but i don't know why this don't work on my events but this work perfectly on regex101

0 Karma
Reply
Solved! Jump to solution

harshpatel
Contributor
‎06-06-2019 03:14 AM

Can you please try this search and see if it works?

| makeresults count=1 
| eval _raw = "2019-05-02 07:26:07.283;2019-05-02 05:26:07.283;2019-05-02 07:26:07.283;LOOKINGFORACTION;TO;SOMESTRING;FROM;SOMESTRING;MSG [223];\x00;0 22 0 0 0 0 0 8 0 0 0 0 0 0 0 2 FC 3E ;\x00;\x00;\x00;0;0" 
| rex field=_raw "\\\\x\d\d;\d\s(?<first>\d)(?<second>\d)"
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...