Splunk Search

How to identify '\n' in Splunk rex?

Tao_Zeng
Explorer

SPL as below: 

| makeresults
| eval TEST="\n User-Agent: iOS/16.4.1 iPhone\n P-Access-Network-Info: 3GPP-NR-TDD;utran-cell-id-3gpp=4600101200e020432103\n Security-Verify: ipsec-3gpp;alg=hmac-md5-96;ealg=null;mod=trans;port-c=9950;port-s=9900;prot=esp;spi-c=2155781586;spi-s=4286488018\n"

|rex max_match=0 field=TEST "P-Access-Network-Info:\s*(?<KeyValue>.+)\\n"

what I want  is to get "3GPP-NR-TDD;utran-cell-id-3gpp=4600101200e020432103"  by identifying \n  as the end .

But \\n seem not work for splunk,  I tried \n, but still failed. 

 

Labels (3)
0 Karma
1 Solution

yeahnah
Motivator

Hi @Tao_Zeng 

When using search you also need to escape the backslash 

https://docs.splunk.com/Documentation/Splunk/9.1.0/Search/SPLandregularexpressions#Backslash_charact...

So, this should work...

| makeresults
| eval TEST="\n User-Agent: iOS/16.4.1 iPhone\n P-Access-Network-Info: 3GPP-NR-TDD;utran-cell-id-3gpp=4600101200e020432103\n Security-Verify: ipsec-3gpp;alg=hmac-md5-96;ealg=null;mod=trans;port-c=9950;port-s=9900;prot=esp;spi-c=2155781586;spi-s=4286488018\n"

|rex max_match=0 field=TEST "P-Access-Network-Info:\s*(?<KeyValue>.+)\\\n"




View solution in original post

GaetanVP
Contributor

Hello @Tao_Zeng,

You could try something like this 

 

| makeresults 
| eval TEST="\n User-Agent: iOS/16.4.1 iPhone\n P-Access-Network-Info: 3GPP-NR-TDD;utran-cell-id-3gpp=4600101200e020432103\n Security-Verify: ipsec-3gpp;alg=hmac-md5-96;ealg=null;mod=trans;port-c=9950;port-s=9900;prot=esp;spi-c=2155781586;spi-s=4286488018\n" 
| rex field=TEST "P-Access-Network-Info: (?<KeyValue>.+?)\\\n" 
| table KeyValue

 

GaetanVP_0-1688986725897.pngThanks @yeahnah for the triple backslash, I didn't know it. I thought one "/" to exclude the "/" afterwards would be enough, and n is a literal character so I do not really understand... But it's working !

Regards,
GaetanVP

0 Karma

GaetanVP
Contributor

Hello @Tao_Zeng,

You can try the following :

 

| makeresults
| eval TEST="\n User-Agent: iOS/16.4.1 iPhone\n P-Access-Network-Info: 3GPP-NR-TDD;utran-cell-id-3gpp=4600101200e020432103\n Security-Verify: ipsec-3gpp;alg=hmac-md5-96;ealg=null;mod=trans;port-c=9950;port-s=9900;prot=esp;spi-c=2155781586;spi-s=4286488018\n"
| rex field=TEST "P-Access-Network-Info: (?<KeyValue>.+?)\\\n"
| table KeyValue

 

GaetanVP_0-1688975462090.png

Thanks @yeahnah for the triple backslash, I didn't know that... I would have put only two // in order to escape the / itself but then the n is a literal character so I do not really understand...

Regards,

GaetanVP

Tags (1)
0 Karma

GaetanVP
Contributor

Hello @Tao_Zeng,

You can try the following :

| makeresults
| eval TEST="\n User-Agent: iOS/16.4.1 iPhone\n P-Access-Network-Info: 3GPP-NR-TDD;utran-cell-id-3gpp=4600101200e020432103\n Security-Verify: ipsec-3gpp;alg=hmac-md5-96;ealg=null;mod=trans;port-c=9950;port-s=9900;prot=esp;spi-c=2155781586;spi-s=4286488018\n"
| rex field=TEST "P-Access-Network-Info: (?<KeyValue>.+?)\\\n"
| table KeyValue

GaetanVP_0-1688975462090.png

Thanks @yeahnah for the triple backslash, I didn't know that... I would have put only two // in order to escape the / itself but then the n is a literal character so I do not really understand...

Regards,

GaetanVP

0 Karma

yeahnah
Motivator

Hi @Tao_Zeng 

When using search you also need to escape the backslash 

https://docs.splunk.com/Documentation/Splunk/9.1.0/Search/SPLandregularexpressions#Backslash_charact...

So, this should work...

| makeresults
| eval TEST="\n User-Agent: iOS/16.4.1 iPhone\n P-Access-Network-Info: 3GPP-NR-TDD;utran-cell-id-3gpp=4600101200e020432103\n Security-Verify: ipsec-3gpp;alg=hmac-md5-96;ealg=null;mod=trans;port-c=9950;port-s=9900;prot=esp;spi-c=2155781586;spi-s=4286488018\n"

|rex max_match=0 field=TEST "P-Access-Network-Info:\s*(?<KeyValue>.+)\\\n"




Gr0und_Z3r0
Contributor

hi @Tao_Zeng 

One way of doing it is like this.

| makeresults
| eval TEST="\n User-Agent: iOS/16.4.1 iPhone\n P-Access-Network-Info: 3GPP-NR-TDD;utran-cell-id-3gpp=4600101200e020432103\n Security-Verify: ipsec-3gpp;alg=hmac-md5-96;ealg=null;mod=trans;port-c=9950;port-s=9900;prot=esp;spi-c=2155781586;spi-s=4286488018\n"

| makemv TEST delim="\n"
| rex field=TEST "P-Access-Network-Info:\s+(?P<access_network_info>.*)"

Tao_Zeng
Explorer

thanks ,this also works

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...