I have a query which returns a field which is occasionally a 13-digit hexadecimal value, and occasionally a string which may or may not be 13 characters long. I'd like to create an output of just the items which match hex.
There is lots written on converting hex, but I want to leave it intact for the search.
Thanks!
If your field is called myHexField
which will contain either hex
or non-hex
value can you try using regex
command as below:
1) If your hex
values have a format of myHexField=0xffffaaaa0000b
then try this which will only filter events that have the hex values in the format 0xffffaaaa0000b
:
index=yourIndex sourcetype=yourSourcetype | regex myHexField="0x[0-9a-fA-F]{13}" | complete your query
2) If your hex values do not have a leading 0x
and appear normally as myHexField=ffffaaaa0000b
then try:
index=yourIndex sourcetype=yourSourcetype | regex myHexField="[0-9a-fA-F]{13}" | complete your query
Also if there are any additional characters like :
in your hex value for example ffff:aaaa:cccc:0
then place them accordingly inside the capturing group [0-9a-fA-F\:]
and adjust the {13}
accordingly which only captures 13 values within the capturing group.
If your field is called myHexField
which will contain either hex
or non-hex
value can you try using regex
command as below:
1) If your hex
values have a format of myHexField=0xffffaaaa0000b
then try this which will only filter events that have the hex values in the format 0xffffaaaa0000b
:
index=yourIndex sourcetype=yourSourcetype | regex myHexField="0x[0-9a-fA-F]{13}" | complete your query
2) If your hex values do not have a leading 0x
and appear normally as myHexField=ffffaaaa0000b
then try:
index=yourIndex sourcetype=yourSourcetype | regex myHexField="[0-9a-fA-F]{13}" | complete your query
Also if there are any additional characters like :
in your hex value for example ffff:aaaa:cccc:0
then place them accordingly inside the capturing group [0-9a-fA-F\:]
and adjust the {13}
accordingly which only captures 13 values within the capturing group.
The latter worked for me, since there is no 0x preceding the values. Thanks!
|rex field=fieldname "(?<hex>[0-9a-fA-F]{13})"
will something like this work for you?
I'm still getting all the values for the field.
I piped this in right before my call to stats, and my tables are still full of both hex and non-hex values.:
search |rex field=devicename"(?[0-9a-fA-F]{13})" | stats values(devicename) as devices by user |where mvcount(devices)>1
I'm trying to get a list of users who have more than 1 device assigned which has a hexadecimal device name, along with the names of the hexadecimal devices.
are you trying to only bring back the hex devices? in my command, I was creating a field called hex to bring back hexadecimal values that are 13 characters long. I suppose my syntax would take any numeric, alpha, or alphanumeric value as long as it was 13 characters in length. Does the hex start with the same value or end with the same value?
test the regex command here with some of the values in your devicename field:
https://regex101.com/
doc for rex command:
https://docs.splunk.com/Documentation/Splunk/6.5.1/SearchReference/Rex