- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to regex the field?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to regex the field?
How to regex the field?
refId=Id-214f1652024d824e1f4cef63be666139\x00
What i used:
rex field=_raw "refId=Id-(?\w*-?\w*)
Expected : 214f1652024d824e1f4cef63be666139
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can try this,
|makeresults
|eval data="Id-214f1652024d824e1f4cef63be666139\x00"
| rex field=data "Id\-(?P<field_name>.*)\\\\"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
Try this
| makeresults
| eval msg="refId=Id-214f1652024d824e1f4cef63be666139\x00"
| rex field=msg "-(?P<output>.+)\\\\"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@karthi2809 please try the following
| rex "refId=Id-(?<refID>[^\\\]+)"
Following is a sample run anywhere search to test the same in Splunk
| makeresults
| eval _raw="refId=Id-214f1652024d824e1f4cef63be666139\x00"
| rex "refId=Id-(?<refID>[^\\\]+)"
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is the best answer from an efficiency point of view - 13 Steps (but watch how many \\ you use)
https://regex101.com/r/IXnuzE/1
The other examples, whilst working both involve > 75 steps.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
| rex field=msg "\-(?P<output>[^\\\]+)" with 6 Steps
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ha, that's cheating, you changed It! 😄
But yes, that's fewer steps, although the step count is only reduced because there are fewer characters to process.
The trade-off is that since you are being less specific with the preceding character match, the chances of a false positive are higher. Not an issue given the very limited example in the post, but matching preceding strings does not add any real penalty, and gives you the confidence of reducing FPs.
Join the regex channel on Splunk Slack if you fancy getting down in the weeds on regex performance!
There is even a weekly competition!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
🙂 I accept you.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@nickhillscpl, thanks I had joined.
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
