Splunk Search

How to generate a search that will find values which are hexadecimal only?

drinkingjimmy
Explorer

I have a query which returns a field which is occasionally a 13-digit hexadecimal value, and occasionally a string which may or may not be 13 characters long. I'd like to create an output of just the items which match hex.

There is lots written on converting hex, but I want to leave it intact for the search.

Thanks!

0 Karma
1 Solution

gokadroid
Motivator

If your field is called myHexField which will contain either hex or non-hex value can you try using regex command as below:

1) If your hex values have a format of myHexField=0xffffaaaa0000b then try this which will only filter events that have the hex values in the format 0xffffaaaa0000b:

index=yourIndex sourcetype=yourSourcetype | regex  myHexField="0x[0-9a-fA-F]{13}" | complete your query

See here

2) If your hex values do not have a leading 0x and appear normally as myHexField=ffffaaaa0000b then try:

index=yourIndex sourcetype=yourSourcetype | regex  myHexField="[0-9a-fA-F]{13}" | complete your query

Also if there are any additional characters like : in your hex value for example ffff:aaaa:cccc:0 then place them accordingly inside the capturing group [0-9a-fA-F\:] and adjust the {13} accordingly which only captures 13 values within the capturing group.

View solution in original post

gokadroid
Motivator

If your field is called myHexField which will contain either hex or non-hex value can you try using regex command as below:

1) If your hex values have a format of myHexField=0xffffaaaa0000b then try this which will only filter events that have the hex values in the format 0xffffaaaa0000b:

index=yourIndex sourcetype=yourSourcetype | regex  myHexField="0x[0-9a-fA-F]{13}" | complete your query

See here

2) If your hex values do not have a leading 0x and appear normally as myHexField=ffffaaaa0000b then try:

index=yourIndex sourcetype=yourSourcetype | regex  myHexField="[0-9a-fA-F]{13}" | complete your query

Also if there are any additional characters like : in your hex value for example ffff:aaaa:cccc:0 then place them accordingly inside the capturing group [0-9a-fA-F\:] and adjust the {13} accordingly which only captures 13 values within the capturing group.

drinkingjimmy
Explorer

The latter worked for me, since there is no 0x preceding the values. Thanks!

0 Karma

cmerriman
Super Champion
|rex field=fieldname "(?<hex>[0-9a-fA-F]{13})"

will something like this work for you?

drinkingjimmy
Explorer

I'm still getting all the values for the field.

I piped this in right before my call to stats, and my tables are still full of both hex and non-hex values.:

search |rex field=devicename"(?[0-9a-fA-F]{13})" | stats values(devicename) as devices by user |where mvcount(devices)>1

I'm trying to get a list of users who have more than 1 device assigned which has a hexadecimal device name, along with the names of the hexadecimal devices.

0 Karma

cmerriman
Super Champion

are you trying to only bring back the hex devices? in my command, I was creating a field called hex to bring back hexadecimal values that are 13 characters long. I suppose my syntax would take any numeric, alpha, or alphanumeric value as long as it was 13 characters in length. Does the hex start with the same value or end with the same value?

test the regex command here with some of the values in your devicename field:
https://regex101.com/

doc for rex command:
https://docs.splunk.com/Documentation/Splunk/6.5.1/SearchReference/Rex

0 Karma
Get Updates on the Splunk Community!

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

We’ve been buzzing with excitement about the recent validation of Splunk Education! The 2024 Splunk Career ...

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...