Splunk Search

Need Regex help

SabariRajanT
Path Finder

Hi All,

I will be getting a list of MD5 hash values in my logs. Need a regex expression for the below. 

Therefore whenever am getting md5 hash values.

 

"md5":"b78269ef4034474766cb1351e94edf5c",

Labels (1)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @SabariRajanT,

please try this:

| rex "\"md5\":\"(?<md5>[^\"]+)"

that you can test at https://regex101.com/r/DPpHQi/1

Ciao.

Giuseppe

0 Karma

SabariRajanT
Path Finder

@gcusello  Thanks for your quick response. 

The rex which you provided it doesn't work for other data which has MD5. one thing I notice in logs before md5 that starts with "","" and end with "","". Using that can you provide rex.

 

"",""md5"":""b147fbdbd44374f73a763531c8d1093d"",""sha1"":null,""

Tags (1)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @SabariRajanT,

ok, please try this:

| rex "\"\"md5\"\":\"\"(?<md5>[^\"]+)"

that you can test at https://regex101.com/r/DPpHQi/2

Ciao.

Giuseppe

0 Karma

SabariRajanT
Path Finder

@gcusello The rex which is provided earlier, doesn't working. 

Thanks

Tags (1)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @SabariRajanT,

Please, share some additional samples, because, as you can see, using the sample you provided it's running.

Ciao.

Giuseppe

0 Karma

SabariRajanT
Path Finder

Can I have your email Id please @gcusello to send the full logs. Since the file size is huge.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi  @SabariRajanT,

as you can see at  https://regex101.com/r/DPpHQi/3 

the first regex perfectly matches the sample you shared

| rex "\"md5\":\"(?<md5>[^\"]+)"

What's the behaviour of your regex? why do you see that it doesn't run?

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...