Splunk Search

Help with some basic REGEX please?

pir8radio
Path Finder

In this string: Version=\x221.7.53a\x22
I want to capture everything in between \x22 and \x22 so the result on this string would be 1.7.53a
but some other strings could look like Version=\x224.3.0.15\x22 the result should be 4.3.0.15

there are other fields like user=\x22username\x22 that i dont care about, just the version=\x22.........\x22
Any help would be appreciated.

Tags (3)
0 Karma
1 Solution

arjunpkishore5
Motivator

Based on the data you posted in @richgalloway Answer, it looks like there are no field extractions on your data. so this is what you probably need

| rex field=_raw "Version=\\x22(?<version>[^\\]+)\\x22"

If you do have field extractions, @richgalloway 's answer is right except for a small error. there's a missing x at the end. so this is what you need. I posted this as a comment on his answer. If this work's, Please upvote his answer and mark this as the answer

| rex field=Version "\\x22(?<version>[^\\]+)\\x22"

View solution in original post

0 Karma

wenthold
Communicator

Escaping backlashes with rex is strange. You could use three slashes:

| rex field=_raw "Version=\\\x22(?<Version>.*?)\\\x"

or use \x5c:

| rex field=_raw "Version=\x5cx22(?<Version>.*?)\x5cx"
0 Karma

arjunpkishore5
Motivator

Based on the data you posted in @richgalloway Answer, it looks like there are no field extractions on your data. so this is what you probably need

| rex field=_raw "Version=\\x22(?<version>[^\\]+)\\x22"

If you do have field extractions, @richgalloway 's answer is right except for a small error. there's a missing x at the end. so this is what you need. I posted this as a comment on his answer. If this work's, Please upvote his answer and mark this as the answer

| rex field=Version "\\x22(?<version>[^\\]+)\\x22"
0 Karma

jawahir007
Path Finder

try this : | rex field=Version "\\x22(?<version>.*)\\x22"

0 Karma

richgalloway
SplunkTrust
SplunkTrust

At search time, you can use | rex field=Version "\\x22(?<version>[^\\]+)\\22".

---
If this reply helps you, Karma would be appreciated.
0 Karma

arjunpkishore5
Motivator

I think you meant | rex field=Version "\\x22(?<version>[^\\]+)\\x22"

You missed the x at the end 😉

0 Karma

pir8radio
Path Finder

either I'm using this incorrectly, or its not working, here is the full string in the database:

172.69.63.125 - - [28/Oct/2019:20:40:58 -0500] "POST /emby/Sessions/Playing/Progress HTTP/1.1" 204 0 "-" "Dalvik/2.1.0 (Linux; U; Android 7.1.2; AFTMM Build/NS6266)" "2601:243:ca80:35ce:31dc:3f3f:5f8e:3718
forwarded_for
" 0.042 443 "MediaBrowser Client=\x22AndroidTv\x22, DeviceId=\x22dec6c5313ff588a2\x22, Device=\x22Bedroom TV\x22, Version=\x221.7.53a\x22, UserId=\x22e76db24xxxxxxxxxxxxd7a988641618\x22"

i want to extract a Field using regex, i would like out of the above string "1.7.53a" for field Version Various versions exist, one could be 4.3.0.15 or 1.7.53 or 1.7.53a etc... so basically in the above access log i want to grab that version field and get rid of the \x22 on each side of the version number.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...