Splunk Search

How to generate a search that will find values which are hexadecimal only?

drinkingjimmy
Explorer

I have a query which returns a field which is occasionally a 13-digit hexadecimal value, and occasionally a string which may or may not be 13 characters long. I'd like to create an output of just the items which match hex.

There is lots written on converting hex, but I want to leave it intact for the search.

Thanks!

0 Karma
1 Solution

gokadroid
Motivator

If your field is called myHexField which will contain either hex or non-hex value can you try using regex command as below:

1) If your hex values have a format of myHexField=0xffffaaaa0000b then try this which will only filter events that have the hex values in the format 0xffffaaaa0000b:

index=yourIndex sourcetype=yourSourcetype | regex  myHexField="0x[0-9a-fA-F]{13}" | complete your query

See here

2) If your hex values do not have a leading 0x and appear normally as myHexField=ffffaaaa0000b then try:

index=yourIndex sourcetype=yourSourcetype | regex  myHexField="[0-9a-fA-F]{13}" | complete your query

Also if there are any additional characters like : in your hex value for example ffff:aaaa:cccc:0 then place them accordingly inside the capturing group [0-9a-fA-F\:] and adjust the {13} accordingly which only captures 13 values within the capturing group.

View solution in original post

gokadroid
Motivator

If your field is called myHexField which will contain either hex or non-hex value can you try using regex command as below:

1) If your hex values have a format of myHexField=0xffffaaaa0000b then try this which will only filter events that have the hex values in the format 0xffffaaaa0000b:

index=yourIndex sourcetype=yourSourcetype | regex  myHexField="0x[0-9a-fA-F]{13}" | complete your query

See here

2) If your hex values do not have a leading 0x and appear normally as myHexField=ffffaaaa0000b then try:

index=yourIndex sourcetype=yourSourcetype | regex  myHexField="[0-9a-fA-F]{13}" | complete your query

Also if there are any additional characters like : in your hex value for example ffff:aaaa:cccc:0 then place them accordingly inside the capturing group [0-9a-fA-F\:] and adjust the {13} accordingly which only captures 13 values within the capturing group.

drinkingjimmy
Explorer

The latter worked for me, since there is no 0x preceding the values. Thanks!

0 Karma

cmerriman
Super Champion
|rex field=fieldname "(?<hex>[0-9a-fA-F]{13})"

will something like this work for you?

drinkingjimmy
Explorer

I'm still getting all the values for the field.

I piped this in right before my call to stats, and my tables are still full of both hex and non-hex values.:

search |rex field=devicename"(?[0-9a-fA-F]{13})" | stats values(devicename) as devices by user |where mvcount(devices)>1

I'm trying to get a list of users who have more than 1 device assigned which has a hexadecimal device name, along with the names of the hexadecimal devices.

0 Karma

cmerriman
Super Champion

are you trying to only bring back the hex devices? in my command, I was creating a field called hex to bring back hexadecimal values that are 13 characters long. I suppose my syntax would take any numeric, alpha, or alphanumeric value as long as it was 13 characters in length. Does the hex start with the same value or end with the same value?

test the regex command here with some of the values in your devicename field:
https://regex101.com/

doc for rex command:
https://docs.splunk.com/Documentation/Splunk/6.5.1/SearchReference/Rex

0 Karma
Get Updates on the Splunk Community!

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...

Splunk and Fraud

Watch Now!Watch an insightful webinar where we delve into the innovative approaches to solving fraud using the ...