Solved: Regex Help!

kiran331 · ‎09-30-2016

How can I change the format of the filed values using regex.

what it is now:
0xBCDDADAF7BSS

What I need:
remove 0x and : in between after 2 characters

BC:DD:AD:AF:7B:SS

msivill_splunk · ‎09-30-2016

A longer alternative..........

| stats count as text | eval text = "0xBCDDADAF7BSS" | rex field=text "0x(?<text_trim>.*)" | eval text_trim_colon = text_trim | rex field=text_trim_colon mode=sed "s/(..)/&:/g" | rex field=text_trim_colon "(?<text_trim_colon_result>.*):"

With the added bonus of handling fields of different lengths (multiples of 2)

View solution in original post

msivill_splunk · ‎09-30-2016

A longer alternative..........

| stats count as text | eval text = "0xBCDDADAF7BSS" | rex field=text "0x(?<text_trim>.*)" | eval text_trim_colon = text_trim | rex field=text_trim_colon mode=sed "s/(..)/&:/g" | rex field=text_trim_colon "(?<text_trim_colon_result>.*):"

With the added bonus of handling fields of different lengths (multiples of 2)

View solution in original post

javiergn · ‎09-30-2016

Just two comments:

1) If your number is hexadecimal then the SS at the end is wrong. If that was the case simply do the following:

your base search
| rex field=myfield max_match=0 "(?<newfield>[0-9a-fA-F]{2})"
| eval newfield = mvjoin(newfield, ":")

2) If your word can contain any characters (I don't understand the 0x then) you can try this instead:

your base search
| eval myfield = substr(myfield, 3)
| rex field=myfield max_match=0 "(?<newfield>[0-9a-zA-Z]{2})"
| eval newfield = mvjoin(newfield, ":")

Hope that helps

gcusello · ‎09-30-2016

add to your search

| rex "\w\w(?<ppp1>.{2})(?<ppp2>.{2})(?<ppp3>.{2})(?<ppp4>.{2})(?<ppp5>.{2})(?<ppp6>.{2})" | eval mynewfield=ppp1+":"+ppp2+":"+ppp3+":"+ppp4+":"+ppp5+":"+ppp6

Bye.
Giuseppe