Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Removing characters from output with rex

SplunkySplunk
Explorer
‎09-13-2020 06:49 AM

I`m trying to remove a hash string from my output-
"Example hash is 3ernksMt7b3EzKwHuW4papuEFtvePZtDs9CQFeVYy57= will not be cracked"
As the hash is changing but has unique specifications, I'm trying to implement a rex rule to catch every event with this rule- "[a-zA-Z0-9]+="
Unfortunately, I've tried multiple solutions from the forum but non worked for this case.

I would also appreciate a reference to the documentation on this issue (Understanding each part of the rex command)

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎09-13-2020 07:32 AM

 

rex field=_raw mode=sed "s/[a-zA-Z0-9]+=//g"

This removes you hash from the _raw field - use a different field as appropriate. The sed command substitutes your pattern for nothing - you could replace it with something else. Note that this relies on there being a "=" at the end of the hash, which may or may not be true for all instances of your hashes. If it isn't true, you need a pattern the does match all your hashes or apply multiple rex commands to remove/replace hashes of different patterns

 

regex101.com is a good site to test regex expressions

View solution in original post

0 Karma
Reply
Solved! Jump to solution

thambisetty
SplunkTrust
SplunkTrust
‎09-13-2020 08:30 AM

Worth watching regular expressions in Splunk

https://youtu.be/LoiyiCVGLnw

————————————
If this helps, give a like below.
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎09-13-2020 07:32 AM

 

rex field=_raw mode=sed "s/[a-zA-Z0-9]+=//g"

This removes you hash from the _raw field - use a different field as appropriate. The sed command substitutes your pattern for nothing - you could replace it with something else. Note that this relies on there being a "=" at the end of the hash, which may or may not be true for all instances of your hashes. If it isn't true, you need a pattern the does match all your hashes or apply multiple rex commands to remove/replace hashes of different patterns

 

regex101.com is a good site to test regex expressions

0 Karma
Reply
Solved! Jump to solution

SplunkySplunk
Explorer
‎09-13-2020 08:37 AM

Thank you
That what made the trick

0 Karma
Reply
Register for .conf25!
Get Updates on the Splunk Community!

AppDynamics Summer Webinars

This summer, our mighty AppDynamics team is cooking up some delicious content on YouTube Live to satiate your ...

SOCin’ it to you at Splunk University

Splunk University is expanding its instructor-led learning portfolio with dedicated Security tracks at .conf25 ...

Credit Card Data Protection & PCI Compliance with Splunk Edge Processor

Organizations handling credit card transactions know that PCI DSS compliance is both critical and complex. The ...
Top