Splunk Search

Regex in regex101, is not working in splunk .

jagdeepgupta813
Explorer

HI ,

I want to extract serialNumber value from the logs. Below is the sample logger

\"serialNumber\" : \"A1BZD2C5HD29\".

I tried using the below expression to extract the serial Number from the logs. The regular expression mentioned in the quotes is performing right in the regex101 site but it is not

rex field=response "\\\"serialNumber\\\"\s+:\s+\\\"(?<srLNumber>\w+)"

Below is the complete sample response object (pasting , as it may be because of the text arrangement in the object)

response="
{
\"FetchedDetails\" : {
\"TimeStamp\" : \"312345677122199\",
\"serialNumber\" : \"C12SDJGRHLND7\"
}
}"

The size of the serial number can vary to any length and it would contain only alphanumeric characters.
I tried multiple options else like using .+ instead of \w+ but it did not work.
An advice to select the serial number is appreciable.

Thanks

0 Karma

woodcock
Esteemed Legend

I cannot believe that we are still rehashing this. This generates a sample event/field:

|makeresults | eval response="response=\"
{
\\\"FetchedDetails\\\" : {
\\\"TimeStamp\\\" : \\\"312345677122199\\\",
\\\"serialNumber\\\" : \\\"C12SDJGRHLND7\\\"
}
}\""

You can use RegEx like this:

... | rex field=response "\\\\\"serialNumber\\\\\"\s+:\s+\\\\\"(?<srLNumber>\w+)"

Or get everything like this:

... | rename response AS _raw
| rex mode=sed "s/^response=\"[\r\n]+// s/[\r\n]+}\"$// s/\\\\\"/\"/g"
| kv
0 Karma

AnilPujar
Path Finder

Session ID : hLwfKyKGuiq0Pk2GjO4IPKPe
User Name : admin
Creation Time : Wed Aug 14 09:40:00 GST 2019
Last Accessed Time : Wed Aug 14 09:40:00 GST 2019
Session ID : B3pJDeEwH+yi7sMzrdsGXfoQ
User Name : user
Creation Time : Wed Aug 14 09:40:00 GST 2019
Last Accessed Time : Wed Aug 14 09:40:00 GST 2019

?

0 Karma

jagdeepgupta813
Explorer

Below is the complete sample response object (pasting , as it may be because of the text arrangement in the object)

response="
{
\"FetchedDetails\" : {
\"TimeStamp\" : \"312345677122199\",
\"serialNumber\" : \"C12SDJGRHLND7\"
}
}"

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Give this a try

your base search | rex field=response "serialNumber[^\"]+\"\s*\:\s*[^\"]+\"(?<serialNumber>[^\"]+)"
0 Karma

jagdeepgupta813
Explorer

@somesoni2: Thanks for replying .
This also did not work. I tried removing the additional '\"' after a group search [^\"]+ but no luck

0 Karma

somesoni2
SplunkTrust
SplunkTrust

So its not capturing anything, capturing wrong/incomplete?

0 Karma

jagdeepgupta813
Explorer

its not capturing anything

0 Karma

rjthibod
Champion

Try using the hex value for backslash instead of dealing with the escape sequences.

| rex field=response "\x5c\"serialNumber\x5c\"\s*:\s*\x5c\"(?<srLNumber>\w+)"

If you need to go event more extreme, try the hex values for double quotes as well.

| rex field=response "\x5c\x22serialNumber\x5c\x22\s*:\s*\x5c\x22(?<srLNumber>\w+)"

0 Karma

jagdeepgupta813
Explorer

@rjthibod: Thanks for replying, I tried both combination and it did not work

0 Karma

woodcock
Esteemed Legend

You need 2 more backslashes in each spot. This works:

This fakes the data:

|makeresults | eval response="\\\"serialNumber\\\" : \\\"A1BZD2C5HD29\\\"."

This is your solution:

| rex field=response "\\\\\"serialNumber\\\\\"\s+:\s+\\\\\"(?<srLNumber>\w+)"
0 Karma

jagdeepgupta813
Explorer

@woodcock: Thanks for replying.
This also did not work. It is working only if I keep the same serial number "A1BZD2C5HD29"
I tried using \w+ instead of the serial number

0 Karma

woodcock
Esteemed Legend

The solution is this part:

... | rex field=response "\\\\\"serialNumber\\\\\"\s+:\s+\\\\\"(?<srLNumber>\w+)"

The other stuff was faking the data.

0 Karma

woodcock
Esteemed Legend

This absolutely does work.

0 Karma

jkat54
SplunkTrust
SplunkTrust

Weird I just did one earlier that only needed a single backslash for quotes and backslashes...

0 Karma

jkat54
SplunkTrust
SplunkTrust

Are you sure this is the "response" field in your data? Have you tried removing field=response?

0 Karma

jagdeepgupta813
Explorer

@jkat54 : Thanks for replying. Yes, I am sure this is in the response object.
By the way , I have tried with _raw field as well that also did not fetch the result.

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...