Splunk Search

Removing characters from output with rex

SplunkySplunk
Explorer

I`m trying to remove a hash string from my output-
"Example hash is 3ernksMt7b3EzKwHuW4papuEFtvePZtDs9CQFeVYy57= will not be cracked"
As the hash is changing but has unique specifications, I'm trying to implement a rex rule to catch every event with this rule- "[a-zA-Z0-9]+="
Unfortunately, I've tried multiple solutions from the forum but non worked for this case.

I would also appreciate a reference to the documentation on this issue (Understanding each part of the rex command)

Labels (1)
Tags (1)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

 

rex field=_raw mode=sed "s/[a-zA-Z0-9]+=//g"

This removes you hash from the _raw field - use a different field as appropriate. The sed command substitutes your pattern for nothing - you could replace it with something else. Note that this relies on there being a "=" at the end of the hash, which may or may not be true for all instances of your hashes. If it isn't true, you need a pattern the does match all your hashes or apply multiple rex commands to remove/replace hashes of different patterns

 

regex101.com is a good site to test regex expressions

View solution in original post

0 Karma

thambisetty
SplunkTrust
SplunkTrust

Worth watching regular expressions in Splunk

https://youtu.be/LoiyiCVGLnw

————————————
If this helps, give a like below.

ITWhisperer
SplunkTrust
SplunkTrust

 

rex field=_raw mode=sed "s/[a-zA-Z0-9]+=//g"

This removes you hash from the _raw field - use a different field as appropriate. The sed command substitutes your pattern for nothing - you could replace it with something else. Note that this relies on there being a "=" at the end of the hash, which may or may not be true for all instances of your hashes. If it isn't true, you need a pattern the does match all your hashes or apply multiple rex commands to remove/replace hashes of different patterns

 

regex101.com is a good site to test regex expressions

0 Karma

SplunkySplunk
Explorer

Thank you
That what made the trick

0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...