Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Need Regex help

SabariRajanT
Path Finder
‎08-27-2021 09:05 AM

Hi All,

I will be getting a list of MD5 hash values in my logs. Need a regex expression for the below. 

Therefore whenever am getting md5 hash values.

 

"md5":"b78269ef4034474766cb1351e94edf5c",

Labels (1)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎08-27-2021 09:15 AM

Hi @SabariRajanT,

please try this:

| rex "\"md5\":\"(?<md5>[^\"]+)"

that you can test at https://regex101.com/r/DPpHQi/1

Ciao.

Giuseppe

0 Karma
Reply

SabariRajanT
Path Finder
‎08-27-2021 09:31 AM

@gcusello  Thanks for your quick response. 

The rex which you provided it doesn't work for other data which has MD5. one thing I notice in logs before md5 that starts with "","" and end with "","". Using that can you provide rex.

 

"",""md5"":""b147fbdbd44374f73a763531c8d1093d"",""sha1"":null,""

Tags (1)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎08-27-2021 09:34 AM

Hi @SabariRajanT,

ok, please try this:

| rex "\"\"md5\"\":\"\"(?<md5>[^\"]+)"

that you can test at https://regex101.com/r/DPpHQi/2

Ciao.

Giuseppe

0 Karma
Reply

SabariRajanT
Path Finder
‎08-27-2021 09:53 AM

@gcusello The rex which is provided earlier, doesn't working. 

Thanks

Tags (1)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎08-27-2021 09:56 AM

Hi @SabariRajanT,

Please, share some additional samples, because, as you can see, using the sample you provided it's running.

Ciao.

Giuseppe

0 Karma
Reply

SabariRajanT
Path Finder
‎08-27-2021 10:08 AM

Can I have your email Id please @gcusello to send the full logs. Since the file size is huge.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎08-28-2021 02:26 AM

Hi  @SabariRajanT,

as you can see at  https://regex101.com/r/DPpHQi/3 

the first regex perfectly matches the sample you shared

| rex "\"md5\":\"(?<md5>[^\"]+)"

What's the behaviour of your regex? why do you see that it doesn't run?

Ciao.

Giuseppe

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...

Keep the Learning Going with the New Best of .conf Hub

Hello Splunkers, With .conf26 getting closer, there’s already a lot of excitement building around this year’s ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...