Splunk Search

How to regex the field?

karthi2809
Builder

How to regex the field?

refId=Id-214f1652024d824e1f4cef63be666139\x00

What i used:
rex field=_raw "refId=Id-(?\w*-?\w*)

Expected : 214f1652024d824e1f4cef63be666139

0 Karma

vinod94
Contributor

You can try this,

|makeresults 
|eval data="Id-214f1652024d824e1f4cef63be666139\x00"
| rex field=data "Id\-(?P<field_name>.*)\\\\"
0 Karma

vnravikumar
Champion

Hi

Try this

| makeresults 
| eval msg="refId=Id-214f1652024d824e1f4cef63be666139\x00" 
| rex field=msg "-(?P<output>.+)\\\\"
0 Karma

niketn
Legend

@karthi2809 please try the following

| rex "refId=Id-(?<refID>[^\\\]+)"

Following is a sample run anywhere search to test the same in Splunk

| makeresults
| eval _raw="refId=Id-214f1652024d824e1f4cef63be666139\x00"
| rex "refId=Id-(?<refID>[^\\\]+)"
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

nickhills
Ultra Champion

This is the best answer from an efficiency point of view - 13 Steps (but watch how many \\ you use)
https://regex101.com/r/IXnuzE/1

The other examples, whilst working both involve > 75 steps.

If my comment helps, please give it a thumbs up!
0 Karma

vnravikumar
Champion
 | rex field=msg "\-(?P<output>[^\\\]+)" with 6 Steps
0 Karma

nickhills
Ultra Champion

Ha, that's cheating, you changed It! 😄

But yes, that's fewer steps, although the step count is only reduced because there are fewer characters to process.

The trade-off is that since you are being less specific with the preceding character match, the chances of a false positive are higher. Not an issue given the very limited example in the post, but matching preceding strings does not add any real penalty, and gives you the confidence of reducing FPs.
Join the regex channel on Splunk Slack if you fancy getting down in the weeds on regex performance!
There is even a weekly competition!

If my comment helps, please give it a thumbs up!
0 Karma

vnravikumar
Champion

🙂 I accept you.

0 Karma

vnravikumar
Champion

@nickhillscpl, thanks I had joined.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...