Splunk Search

How to switch 2 strings in one field

olivier120987
New Member

Hello,

So basically I've got this field value :

Refer to <A HREF='https://technet.microsoft.com/library/security/ms15-011' TARGET='_blank'>MS15-011</A>

I'd like to have the URL and the Microsoft reference switched as well as the whole phrase cleaner (getting rid off the 'TARGET=..') That would result in :

Refer to MS15-011 : https://technet.microsoft.com/library/security/ms15-011

I've tried various things like sed (| rex field=Remediation mode=sed (HREF-{[^}]+})). Thing is, I don't really want to extract fields, that might make things trickier assuming I have all my fields extracted I'd then have to put them back together.
I think the better solution would be something that would replace everything straight away, within my main field value.

Any help would be appreciated, thank you 🙂

0 Karma

woodcock
Esteemed Legend

Like this:

| makeresults 
| eval Remediation="Refer to <A HREF='https://technet.microsoft.com/library/security/ms15-011' TARGET='_blank'>MS15-011</A>"

| rename COMMENT AS "Everything above generates test data; everything below is your solution"

| rex field=myField mode=sed "s%<A HREF='(.*)' TARGET='_blank'>(.*)</A>.*$%\2 \1%"
0 Karma

woodcock
Esteemed Legend

All done in a single command.

0 Karma

horsefez
SplunkTrust
SplunkTrust

Hi olivier,

I don't think you could fit the solution into only one simple command, but my solution isn't to complicated either.

<yoursearch> | rex field=Remediation "(?:^)(?<string1>[^\<]+)[^\']+\'(?<string2>[^\']+)[^\>]+\>(?<string3>[^\<]+)" | eval Remediation = string1 + " " + string3 + " : " + string2
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi olivier120987
try this

your_search
| rex "HREF\=\'(?<url>[^\']*)\'\s+TARGET\=\'[^\>]*\>(?<MS_Ref>[^\<]*)"
| eval final_field="Refer to "+MS_Ref+" :  "+url
| ...

Test regex at https://regex101.com/r/8BsDLD/1
Bye.
Giuseppe

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Try this

your current search with field Remediation 
| rex field=Remediation mode=sed "s/(Refer to )([^\']+\')([^\']+)([^\>]+\>)([^\<]+).+/\1\5 : \3/g"

horsefez
SplunkTrust
SplunkTrust

Holy moly.... what an amazing solution!!! 😃

0 Karma

olivier120987
New Member

Thank you so much! You got me a huge step forward..
Annoyingly, it ignores the rest of the URLS.. I happen to have multiple href/microsoft ref.. :

Here is a more complete sample :

Refer to <A HREF='https://technet.microsoft.com/library/security/ms15-011' TARGET='_blank'>MS15-011</A>to obtain further patch information.<P>In some environments, to be completely protected from the vulnerability, additional configuration by a system administrator is required in addition to deploying this security update. Refer to Microsoft Knowledge Base Article <A HREF='https://support.microsoft.com/en-us/help/3000483' TARGET='_blank'>KB3000483</A> to obtain further information.<P><P>Patch:&lt;br/&gt;Following are links for downloading patches
0 Karma

horsefez
SplunkTrust
SplunkTrust

Try this:

| rex field=Remediation mode=sed "s/(Refer to[^<]+)([^\']+\')([^\']+)([^>]+>)([^<]+)/\1\5 : \3/g"

Edit: darn... too late again

0 Karma

somesoni2
SplunkTrust
SplunkTrust

My solution was tailored based on your example in question, so not handling multiple URLs.
What would be the expected output for this sample?

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Give this a try as well

s/(Refer to[^\<]+)([^\']+')([^\']+)([^\>]+\>)([^\>]+)\S+([^\.]+\.)/\1\5 : \3\6/g
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...