Splunk Search

How come my rex command doesn't give results as expected?

ananth402
Explorer

I have the following log statement and I would like to retrieve the mac address which is a 12 digit string from it.

msgType=notifications notification={"device":"mac:Ab12Cd34nm67","cam":"{\"mac\":\"Ab:12:Cd:34:nm:67\",\"Number\":\"AAAAAAAAA\",.....}"}

I tried with

 host=host* source="source.log" "msgType=notifications*" | rex "(?<mac:.{12})>"

I'm looking for the string mac:Ab12Cd34nm67. How can change the regex to obtain the expected string?

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Try like this updated

 host=host* source="source.log" "msgType=notifications*" | rex "mac\:(?<mac>.{12})"
0 Karma

ananth402
Explorer

There seems to be an issue with the regex statement because it shows Premature end of data in tag form line 1 when I try to use it

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Yeah.. missed removing a >. Try the updated answer.

0 Karma

ananth402
Explorer

tried using host=host* source="source.log" "msgType=notifications*" | rex "mac:(?<mac_number>)" | stats count by mac_number doesn't give me any results

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...