Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to parse hash code from a raw log into a field

kjebaker3
New Member
‎06-27-2018 09:55 AM

Mail_Log_Splunk: Info: MID 119972447 SHA ee1b5fe97eb813f416052526bc191f3112382a7e9638fba3a3ed2652acf81d5a filename Pics meeting pagoda.doc queued for possible file analysis upload

What is the regex to parse the bold section out of a raw log?

Tags (1)
0 Karma
Reply

woodcock
Esteemed Legend
‎06-30-2018 08:55 PM

Like this:

... |  rex "SHA (?<hash>\S+)"
0 Karma
Reply

kjebaker3
New Member
‎06-28-2018 10:13 AM

Thank you, for your answers! How would I make this into a field extraction?

0 Karma
Reply

cpetterborg
SplunkTrust
SplunkTrust
‎06-28-2018 12:45 PM

At search time, or index time? BTW, Splunk best practice is at search time.

0 Karma
Reply

kjebaker3
New Member
‎06-29-2018 06:51 AM

At search time. I need to use a Data Model that contains fields that are currently not being parsed from the raw logs. I ran the regex and it worked so now I need this to be a field extraction that I can add to an app that the Data Model uses.

0 Karma
Reply

cpetterborg
SplunkTrust
SplunkTrust
‎06-29-2018 12:10 PM

Create a field extraction by going to Settings -> Fields -> Field Extractions -> New Field Extraction.

Then you fill in the form and use the regex in the Extraction/Transform field of the form.

0 Karma
Reply

niketn
Legend
‎07-01-2018 06:14 AM

@kjebaker3, refer to the following documentation for Field Extraction using IFX. You can override the automatic regular expression with your custom regular expression in the guided wizard: http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/ExtractfieldsinteractivelywithIFX

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

cpetterborg
SplunkTrust
SplunkTrust
‎06-27-2018 12:11 PM

Something like this "run-anywhere" example should work for the case you provide:

| makeresults
| eval _raw="Mail_Log_Splunk: Info: MID 119972447 SHA ee1b5fe97eb813f416052526bc191f3112382a7e9638fba3a3ed2652acf81d5a" 
| rex "SHA (?<hash>[a-f0-9]+)"
Reply

niketn
Legend
‎06-27-2018 07:34 PM

@kjebaker3 adding a raw event sample would help for us to identify correct regular expression pattern. Assuming SHA # will be followed by a space character (SHA will not have space in it), you can try the following regex on your _raw events:

<yourSearch>
| rex "SHA (?<hash>[^\s]+)\s"

@cpetterborg, slightly changed your Regex. Not sure of exact pattern until complete event can be posted.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...