Need Regex help

SabariRajanT · ‎08-27-2021

Hi All,

I will be getting a list of MD5 hash values in my logs. Need a regex expression for the below.

Therefore whenever am getting md5 hash values.

"md5":"b78269ef4034474766cb1351e94edf5c",

gcusello · ‎08-27-2021

please try this:

| rex "\"md5\":\"(?<md5>[^\"]+)"

that you can test at https://regex101.com/r/DPpHQi/1

Ciao.

Giuseppe

SabariRajanT · ‎08-27-2021

@gcusello Thanks for your quick response.

The rex which you provided it doesn't work for other data which has MD5. one thing I notice in logs before md5 that starts with "","" and end with "","". Using that can you provide rex.

"",""md5"":""b147fbdbd44374f73a763531c8d1093d"",""sha1"":null,""

gcusello · ‎08-27-2021

Hi @SabariRajanT,

ok, please try this:

| rex "\"\"md5\"\":\"\"(?<md5>[^\"]+)"

that you can test at https://regex101.com/r/DPpHQi/2

Ciao.

Giuseppe

SabariRajanT · ‎08-27-2021

@gcusello The rex which is provided earlier, doesn't working.

Thanks

gcusello · ‎08-27-2021

Hi @SabariRajanT,

Please, share some additional samples, because, as you can see, using the sample you provided it's running.

Ciao.

Giuseppe

SabariRajanT · ‎08-27-2021

Can I have your email Id please @gcusello to send the full logs. Since the file size is huge.

gcusello · ‎08-28-2021

Hi @SabariRajanT,

as you can see at https://regex101.com/r/DPpHQi/3

the first regex perfectly matches the sample you shared

| rex "\"md5\":\"(?<md5>[^\"]+)"

What's the behaviour of your regex? why do you see that it doesn't run?

Ciao.

Giuseppe

Need Regex help

regex

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?