Splunk Search

How to generate a search that will find values which are hexadecimal only?

Explorer

I have a query which returns a field which is occasionally a 13-digit hexadecimal value, and occasionally a string which may or may not be 13 characters long. I'd like to create an output of just the items which match hex.

There is lots written on converting hex, but I want to leave it intact for the search.

Thanks!

0 Karma
1 Solution

Motivator

If your field is called myHexField which will contain either hex or non-hex value can you try using regex command as below:

1) If your hex values have a format of myHexField=0xffffaaaa0000b then try this which will only filter events that have the hex values in the format 0xffffaaaa0000b:

index=yourIndex sourcetype=yourSourcetype | regex  myHexField="0x[0-9a-fA-F]{13}" | complete your query

See here

2) If your hex values do not have a leading 0x and appear normally as myHexField=ffffaaaa0000b then try:

index=yourIndex sourcetype=yourSourcetype | regex  myHexField="[0-9a-fA-F]{13}" | complete your query

Also if there are any additional characters like : in your hex value for example ffff:aaaa:cccc:0 then place them accordingly inside the capturing group [0-9a-fA-F\:] and adjust the {13} accordingly which only captures 13 values within the capturing group.

View solution in original post

Motivator

If your field is called myHexField which will contain either hex or non-hex value can you try using regex command as below:

1) If your hex values have a format of myHexField=0xffffaaaa0000b then try this which will only filter events that have the hex values in the format 0xffffaaaa0000b:

index=yourIndex sourcetype=yourSourcetype | regex  myHexField="0x[0-9a-fA-F]{13}" | complete your query

See here

2) If your hex values do not have a leading 0x and appear normally as myHexField=ffffaaaa0000b then try:

index=yourIndex sourcetype=yourSourcetype | regex  myHexField="[0-9a-fA-F]{13}" | complete your query

Also if there are any additional characters like : in your hex value for example ffff:aaaa:cccc:0 then place them accordingly inside the capturing group [0-9a-fA-F\:] and adjust the {13} accordingly which only captures 13 values within the capturing group.

View solution in original post

Explorer

The latter worked for me, since there is no 0x preceding the values. Thanks!

0 Karma

Super Champion
|rex field=fieldname "(?<hex>[0-9a-fA-F]{13})"

will something like this work for you?

Explorer

I'm still getting all the values for the field.

I piped this in right before my call to stats, and my tables are still full of both hex and non-hex values.:

search |rex field=devicename"(?[0-9a-fA-F]{13})" | stats values(devicename) as devices by user |where mvcount(devices)>1

I'm trying to get a list of users who have more than 1 device assigned which has a hexadecimal device name, along with the names of the hexadecimal devices.

0 Karma

Super Champion

are you trying to only bring back the hex devices? in my command, I was creating a field called hex to bring back hexadecimal values that are 13 characters long. I suppose my syntax would take any numeric, alpha, or alphanumeric value as long as it was 13 characters in length. Does the hex start with the same value or end with the same value?

test the regex command here with some of the values in your devicename field:
https://regex101.com/

doc for rex command:
https://docs.splunk.com/Documentation/Splunk/6.5.1/SearchReference/Rex

0 Karma