Splunk Search

How do I use regex to search a field for content?

digital_alchemy
Path Finder

I'm searching for specific GET requests for example:

GET /wddyr.php?id=41576619113845C1EE http/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

I want to pull out anything that matches this pattern:

{5characters}.php?id={6 random numbers}{12 characters}

The below Regex works but I can't figure out how implement it within Splunk.

[a-z,A-Z]{5}.php[?]id=[0-9]{6}[a-z,A-Z,0-9]{12}
Tags (3)
0 Karma
1 Solution

MuS
SplunkTrust
SplunkTrust

Hi digital_alchemy,

if you want to get everything into a field called for example getField use it in a search this way:

 your base search here | rex "(?<getField>[a-z,A-Z]{5}.php[?]id=[0-9]{6}[a-z,A-Z,0-9]{12})" | table getField

or split it into three different fields:

your base search here | rex "(?<getScript>[a-z,A-Z]{5}.php)[?]id=(?<getID>[0-9]{6})(?<getString>[a-z,A-Z,0-9]{12})" | table getScript getID getString

Hope this helps ...

cheers, MuS

View solution in original post

MuS
SplunkTrust
SplunkTrust

Hi digital_alchemy,

if you want to get everything into a field called for example getField use it in a search this way:

 your base search here | rex "(?<getField>[a-z,A-Z]{5}.php[?]id=[0-9]{6}[a-z,A-Z,0-9]{12})" | table getField

or split it into three different fields:

your base search here | rex "(?<getScript>[a-z,A-Z]{5}.php)[?]id=(?<getID>[0-9]{6})(?<getString>[a-z,A-Z,0-9]{12})" | table getScript getID getString

Hope this helps ...

cheers, MuS

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...