Splunk Search

regex address

CyberWolf
Path Finder

im trying to capture address, city and state that are in one line but they have ", : and ,
i would like to excluede (Quotes Coma and Colon)
see test example below


12345 noth test Avenue","city":"test","state":"test",

Labels (1)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @CyberWolf ,

please try:

<your_search>
| rex "^\"address\":\"(?<address>[^\"]+)\",\"city\":\"(?<city>[^\"]+)\",\"state\":\"(?<state>[^\"]+)"
| eval address=address." City ".city." state ".state

Ciao.

Giuseppe

View solution in original post

CyberWolf
Path Finder

thanks but i think i wasn't clear what im trying to do is that all that to be in one field called (?<address>) not separated with city and state

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @CyberWolf ,

let me understand, you want only one field, called address containing city and state, is it correct?

in this case, please try this:

<your_search>
| rex ".*\"city\"\:\"(?<city>[^\"]+)\"\,\"state\"\:"(?<test>[^\"]+)"
| eval address=state." ".city

Ciao.

Giuseppe

dural_yyz
Builder

Creating the regex would be easy enough but it looks like your data is already coming in JSON or XML format.  Is there a chance that the fields are already extracted as "city" and "state"?  If not then I would recommend revisiting the ingestion props as a best practice.  Rather than creating a lot of regex at search time if you had that field extraction during indexing then any changes to data would auto extract new fields.

 

.*\"city\"\:\"(?<city>[^\"]+)\"\,\"state\"\:"(?<test>[^\"]+)

 

CyberWolf
Path Finder

correct it comes in json and i dont have control of it, but im trying to have is address city and state to be all in the field and ignore coma quotes and :

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @CyberWolf ,

if the logs you have, you can use a regex like the following:

| rex "^[^,]+,\"city\":\"(?<city>[^\"]+)\",\"state\":\"(?<state>[^\"]+)"

that you can test at https://regex101.com/r/ZafgnI/1

I'd be more detailed if you can share a complete log, not onl a part of it.

Ciao.

Giuseppe

CyberWolf
Path Finder

example from the raw logs:
"address":"1234 Nothing 2C Avenue","city":"something","state":"RD"

would like to have field name Address
Address
1234 Nothing 2C Avenue City something state RD

all that in one field so ignore the " , and :

What i have
index=something
| rex field=_raw "address\"\:\"(?<address>.*?)\"\,\"
which shows field name:
address
1234 Nothing 2C Avenue","city":"something","state":"RD"

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @CyberWolf ,

please try:

<your_search>
| rex "^\"address\":\"(?<address>[^\"]+)\",\"city\":\"(?<city>[^\"]+)\",\"state\":\"(?<state>[^\"]+)"
| eval address=address." City ".city." state ".state

Ciao.

Giuseppe

CyberWolf
Path Finder

Thank you all it worked! (Grazie mile!) YEAHHH

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Are you trying to capture the data in a single field or multiple fields?  Is this to be done at index time or search time?

---
If this reply helps you, Karma would be appreciated.

CyberWolf
Path Finder

all in a single field so i can used later to dc (distinguish count) 

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...