Solved: regex address

CyberWolf · ‎12-06-2024

im trying to capture address, city and state that are in one line but they have ", : and ,
i would like to excluede (Quotes Coma and Colon)
see test example below

12345 noth test Avenue","city":"test","state":"test",

gcusello · ‎12-06-2024

Hi @CyberWolf ,

please try:

<your_search>
| rex "^\"address\":\"(?<address>[^\"]+)\",\"city\":\"(?<city>[^\"]+)\",\"state\":\"(?<state>[^\"]+)"
| eval address=address." City ".city." state ".state

Ciao.

Giuseppe

View solution in original post

CyberWolf · ‎12-06-2024

thanks but i think i wasn't clear what im trying to do is that all that to be in one field called (?<address>) not separated with city and state

gcusello · ‎12-06-2024

Hi @CyberWolf ,

let me understand, you want only one field, called address containing city and state, is it correct?

in this case, please try this:

<your_search>
| rex ".*\"city\"\:\"(?<city>[^\"]+)\"\,\"state\"\:"(?<test>[^\"]+)"
| eval address=state." ".city

Ciao.

Giuseppe

dural_yyz · ‎12-06-2024

Creating the regex would be easy enough but it looks like your data is already coming in JSON or XML format. Is there a chance that the fields are already extracted as "city" and "state"? If not then I would recommend revisiting the ingestion props as a best practice. Rather than creating a lot of regex at search time if you had that field extraction during indexing then any changes to data would auto extract new fields.

.*\"city\"\:\"(?<city>[^\"]+)\"\,\"state\"\:"(?<test>[^\"]+)

CyberWolf · ‎12-06-2024

correct it comes in json and i dont have control of it, but im trying to have is address city and state to be all in the field and ignore coma quotes and :

gcusello · ‎12-06-2024

Hi @CyberWolf ,

if the logs you have, you can use a regex like the following:

| rex "^[^,]+,\"city\":\"(?<city>[^\"]+)\",\"state\":\"(?<state>[^\"]+)"

that you can test at https://regex101.com/r/ZafgnI/1

I'd be more detailed if you can share a complete log, not onl a part of it.

Ciao.

Giuseppe

CyberWolf · ‎12-06-2024

example from the raw logs:
"address":"1234 Nothing 2C Avenue","city":"something","state":"RD"

would like to have field name Address
Address
1234 Nothing 2C Avenue City something state RD

all that in one field so ignore the " , and :

What i have
index=something
| rex field=_raw "address\"\:\"(?<address>.*?)\"\,\"
which shows field name:
address
1234 Nothing 2C Avenue","city":"something","state":"RD"

gcusello · ‎12-06-2024

Hi @CyberWolf ,

please try:

<your_search>
| rex "^\"address\":\"(?<address>[^\"]+)\",\"city\":\"(?<city>[^\"]+)\",\"state\":\"(?<state>[^\"]+)"
| eval address=address." City ".city." state ".state

Ciao.

Giuseppe

CyberWolf · ‎12-06-2024

Thank you all it worked! (Grazie mile!) YEAHHH

richgalloway · ‎12-06-2024

Are you trying to capture the data in a single field or multiple fields? Is this to be done at index time or search time?

---
If this reply helps you, Karma would be appreciated.

CyberWolf · ‎12-06-2024

all in a single field so i can used later to dc (distinguish count)

regex address

regex

Can’t make it to .conf25? Join us online!

Take Action Automatically on Splunk Alerts with Red Hat Ansible Automation Platform

Calling All Security Pros: Ready to Race Through Boston?

Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...

Are you a member of the Splunk Community?

regex address

regex

Can’t make it to .conf25? Join us online!

Take Action Automatically on Splunk Alerts with Red Hat Ansible Automation Platform

Calling All Security Pros: Ready to Race Through Boston?

Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...