Splunk Search

Removing characters from output with rex

SplunkySplunk
Explorer

I`m trying to remove a hash string from my output-
"Example hash is 3ernksMt7b3EzKwHuW4papuEFtvePZtDs9CQFeVYy57= will not be cracked"
As the hash is changing but has unique specifications, I'm trying to implement a rex rule to catch every event with this rule- "[a-zA-Z0-9]+="
Unfortunately, I've tried multiple solutions from the forum but non worked for this case.

I would also appreciate a reference to the documentation on this issue (Understanding each part of the rex command)

Labels (1)
Tags (1)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

 

rex field=_raw mode=sed "s/[a-zA-Z0-9]+=//g"

This removes you hash from the _raw field - use a different field as appropriate. The sed command substitutes your pattern for nothing - you could replace it with something else. Note that this relies on there being a "=" at the end of the hash, which may or may not be true for all instances of your hashes. If it isn't true, you need a pattern the does match all your hashes or apply multiple rex commands to remove/replace hashes of different patterns

 

regex101.com is a good site to test regex expressions

View solution in original post

0 Karma

thambisetty
SplunkTrust
SplunkTrust

Worth watching regular expressions in Splunk

https://youtu.be/LoiyiCVGLnw

————————————
If this helps, give a like below.

ITWhisperer
SplunkTrust
SplunkTrust

 

rex field=_raw mode=sed "s/[a-zA-Z0-9]+=//g"

This removes you hash from the _raw field - use a different field as appropriate. The sed command substitutes your pattern for nothing - you could replace it with something else. Note that this relies on there being a "=" at the end of the hash, which may or may not be true for all instances of your hashes. If it isn't true, you need a pattern the does match all your hashes or apply multiple rex commands to remove/replace hashes of different patterns

 

regex101.com is a good site to test regex expressions

0 Karma

SplunkySplunk
Explorer

Thank you
That what made the trick

0 Karma
Get Updates on the Splunk Community!

AppDynamics Summer Webinars

This summer, our mighty AppDynamics team is cooking up some delicious content on YouTube Live to satiate your ...

SOCin’ it to you at Splunk University

Splunk University is expanding its instructor-led learning portfolio with dedicated Security tracks at .conf25 ...

Credit Card Data Protection & PCI Compliance with Splunk Edge Processor

Organizations handling credit card transactions know that PCI DSS compliance is both critical and complex. The ...