Splunk Search

How to create a regex to extract values from an event?

Path Finder

Hi everyone,

I'm struggling to find a REGEX to extract 2 value from my events.

I got events like this :

2019-05-02 07:26:07.283;2019-05-02 05:26:07.283;2019-05-02 07:26:07.283;LOOKINGFORACTION;TO;SOMESTRING;FROM;SOMESTRING;MSG [223];\x00;0 22 0 0 0 0 0 8 0 0 0 0 0 0 0 2 FC 3E ;\x00;\x00;\x00;0;0

I was looking for a REGEX to extract this two values :

0 2 2 0 0 0 0 0 8 0 0 0 0 0 0 0 2 FC 3E
and
0 2 2 0 0 0 0 0 8 0 0 0 0 0 0 0 2 FC 3E

But I don't know how write the right REGEX.

Thank you for reading and thank you in advance for your answers.

0 Karma
1 Solution

Contributor

Hi @le_barbucheron,

Is this what you are looking for.

Edit: Updated the regex in the link for two possible cases you mentioned
Also,
Heres the search in Splunk which will work exactly like shown in the link:

| makeresults count=1 
| eval _raw = "2019-05-02 07:26:07.283;2019-05-02 05:26:07.283;2019-05-02 07:26:07.283;LOOKINGFORACTION;TO;SOMESTRING;FROM;SOMESTRING;MSG [223];\x00;0 22 0 0 0 0 0 8 0 0 0 0 0 0 0 2 FC 3E ;\x00;\x00;\x00;0;0" 
| rex field=_raw "\\\\\w\d\d;\d\s(?<first>\d)(?<second>[1-9]|\s\d)"

// with space example


| makeresults count=1 
| eval _raw = "2019-05-02 07:26:07.283;2019-05-02 05:26:07.283;2019-05-02 07:26:07.283;LOOKINGFORACTION;TO;SOMESTRING;FROM;SOMESTRING;MSG [223];\x00;0 0 4 0 0 0 0 0 0 8 0 0 0 0 0 0 0 2 FC 3E ;\x00;\x00;\x00;0;0" 
| rex field=_raw "\\\\\w\d\d;\d\s(?<first>\d)(?<second>[1-9]|\s\d)"

View solution in original post

Path Finder

Thank you everybody, I think i'm going to use the regex wrote by @martynoconnor with the fillnull command to place the "0" values skipped,

Again, thank you so much !

0 Karma

Esteemed Legend

Did you accept the right one? Did you mention the wrong person in this comment?

0 Karma

Esteemed Legend

Like this:

... | rex "([\d,a-f,A-F]+\s+)(?<f1>[\d,a-f,A-F]+)\s+(?<f2>[\d,a-f,A-F]+)\s+([\d,a-f,A-F]+\s+){15}"

Builder

O, here is a little bit different take...

^(.*;){9}\d\s(?P<Field1>\d)(?P<Field2>\d)

Builder

I just noticed the data in gcusello's session in regex101 is different than the data provided in the post above. There is a space between the two fields to be captured gcusello's session in regex101. Does the original data have variances like this or is it consistently one way or the other?

0 Karma

Path Finder

Their is no space between the two value I need to extract, they'll always be grouped like my example

0 Karma

Path Finder

Oops sorry i was wrong, when the value of the field are different of 0 their is no space but when the first are the second are at 0 their is a space, like this :

0 4 0 0 0 0 0 0 8 0 0 0 0 0 0 0 2 D8 B0
0 44 0 0 0 0 0 8 0 0 0 0 0 0 0 2 D8 B0

0 Karma

Contributor

So theres two possibilities in your data?
It can be 0 4 0 0 0 0 0 0 8 0 0 0 0 0 0 0 2 D8 B0
OR 0 44 0 0 0 0 0 8 0 0 0 0 0 0 0 2 D8 B0

Am I right?

0 Karma

Path Finder

yes their is this two possibilities and your expression :

"\\\\x\d\d;\d\s(?<first>\d)(?<second>\d)"

Work very well !!! thank you so much !

Can you please re-send it so i can accept it ? 🙂

0 Karma

Path Finder

Sorry, guys I don't know why I didn't get any notifications of your reply,

Here's some more samples :

     2019-05-02 08:29:05.225;2019-05-02 08:29:05.225;2019-05-02 07:29:05.225;LOOKINGFORACTION;TO;SOMESTRING;FROM;SOMESTRING;MSG [223];\x00;5 52 0 0 0 0 0 8 0 0 0 0 0 0 0 2 FC 3E ;\x00;\x00;\x00;0;0

     2019-05-03 09:32:12.552;2019-05-03 09:32:12.552;2019-05-02 09:32:12.552;LOOKINGFORACTION;TO;SOMESTRING;FROM;SOMESTRING;MSG [223];\x00;1 73 0 0 0 0 0 8 0 0 0 0 0 0 0 C CD 39 ;\x00;\x00;\x00;0;0

     2019-05-03 10:17:15.355;2019-05-03 10:17:15.355;2019-05-03 10:32:15.355;LOOKINGFORACTION;TO;SOMESTRING;FROM;SOMESTRING;MSG [223];\x00;0 02 0 0 0 0 0 8 0 0 0 0 0 0 0 1 89 10 ;\x00;\x00;\x00;0;0

     2019-05-03 11:16:03.012;2019-05-03 11:16:03.012;2019-05-03 11:16:06.012;LOOKINGFORACTION;TO;SOMESTRING;FROM;SOMESTRING;MSG [223];\x00;0 40 0 0 0 0 0 8 0 0 0 0 0 0 0 2 D8 B0 ;\x00;\x00;\x00;0;0

I tried the 3 propositions you made me and only the expression writed by @martynoconnor get me a result but this result return me an empty value when the first number extracted is "0"

Thank you for your answers ! 🙂

0 Karma

Legend

Hi le_barbucheron,
let me understand: do youi want the second numeric value in a field and the third one in another field?

If this is your need, try something like this

^([^;]*;){10}\d\s(?P<Field1>\d)\s(?P<Field2>\d)

You can test it at https://regex101.com/r/7SRUfz/2

Bye.
Giuseppe

0 Karma

Communicator

I'd need to see more sample events to ensure this regex isn't too focused on one event, but this works:

x00;\d\s(?<capturegroup1>\d)(?<capturegroup2>\d)

Path Finder

Please post an additional sample,
are the values you are showing only going to contain values between 0 and 9? Your original event has 22 instead of 2 2

Contributor

Hi @le_barbucheron,

Is this what you are looking for.

Edit: Updated the regex in the link for two possible cases you mentioned
Also,
Heres the search in Splunk which will work exactly like shown in the link:

| makeresults count=1 
| eval _raw = "2019-05-02 07:26:07.283;2019-05-02 05:26:07.283;2019-05-02 07:26:07.283;LOOKINGFORACTION;TO;SOMESTRING;FROM;SOMESTRING;MSG [223];\x00;0 22 0 0 0 0 0 8 0 0 0 0 0 0 0 2 FC 3E ;\x00;\x00;\x00;0;0" 
| rex field=_raw "\\\\\w\d\d;\d\s(?<first>\d)(?<second>[1-9]|\s\d)"

// with space example


| makeresults count=1 
| eval _raw = "2019-05-02 07:26:07.283;2019-05-02 05:26:07.283;2019-05-02 07:26:07.283;LOOKINGFORACTION;TO;SOMESTRING;FROM;SOMESTRING;MSG [223];\x00;0 0 4 0 0 0 0 0 0 8 0 0 0 0 0 0 0 2 FC 3E ;\x00;\x00;\x00;0;0" 
| rex field=_raw "\\\\\w\d\d;\d\s(?<first>\d)(?<second>[1-9]|\s\d)"

View solution in original post

Contributor

@le_barbucheron Try this 🙂

Cheers,
Harsh

Path Finder

Sure, I tried your answer but i don't know why this don't work on my events but this work perfectly on regex101

0 Karma

Contributor

Can you please try this search and see if it works?

| makeresults count=1 
| eval _raw = "2019-05-02 07:26:07.283;2019-05-02 05:26:07.283;2019-05-02 07:26:07.283;LOOKINGFORACTION;TO;SOMESTRING;FROM;SOMESTRING;MSG [223];\x00;0 22 0 0 0 0 0 8 0 0 0 0 0 0 0 2 FC 3E ;\x00;\x00;\x00;0;0" 
| rex field=_raw "\\\\x\d\d;\d\s(?<first>\d)(?<second>\d)"
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!