Solved: Help with some basic REGEX please?

pir8radio · ‎10-21-2019

In this string: Version=\x221.7.53a\x22
I want to capture everything in between \x22 and \x22 so the result on this string would be 1.7.53a
but some other strings could look like Version=\x224.3.0.15\x22 the result should be 4.3.0.15

there are other fields like user=\x22username\x22 that i dont care about, just the version=\x22.........\x22
Any help would be appreciated.

arjunpkishore5 · ‎10-29-2019

Based on the data you posted in @richgalloway Answer, it looks like there are no field extractions on your data. so this is what you probably need

| rex field=_raw "Version=\\x22(?<version>[^\\]+)\\x22"

If you do have field extractions, @richgalloway 's answer is right except for a small error. there's a missing x at the end. so this is what you need. I posted this as a comment on his answer. If this work's, Please upvote his answer and mark this as the answer

| rex field=Version "\\x22(?<version>[^\\]+)\\x22"

View solution in original post

wenthold · ‎10-30-2019

Escaping backlashes with rex is strange. You could use three slashes:

| rex field=_raw "Version=\\\x22(?<Version>.*?)\\\x"

or use \x5c:

| rex field=_raw "Version=\x5cx22(?<Version>.*?)\x5cx"

arjunpkishore5 · ‎10-29-2019

Based on the data you posted in @richgalloway Answer, it looks like there are no field extractions on your data. so this is what you probably need

| rex field=_raw "Version=\\x22(?<version>[^\\]+)\\x22"

If you do have field extractions, @richgalloway 's answer is right except for a small error. there's a missing x at the end. so this is what you need. I posted this as a comment on his answer. If this work's, Please upvote his answer and mark this as the answer

| rex field=Version "\\x22(?<version>[^\\]+)\\x22"

jawahir007 · ‎10-22-2019

try this : | rex field=Version "\\x22(?<version>.*)\\x22"

richgalloway · ‎10-21-2019

At search time, you can use | rex field=Version "\\x22(?<version>[^\\]+)\\22".

---
If this reply helps you, Karma would be appreciated.

arjunpkishore5 · ‎10-29-2019

I think you meant | rex field=Version "\\x22(?<version>[^\\]+)\\x22"

You missed the x at the end 😉

pir8radio · ‎10-28-2019

either I'm using this incorrectly, or its not working, here is the full string in the database:

172.69.63.125 - - [28/Oct/2019:20:40:58 -0500] "POST /emby/Sessions/Playing/Progress HTTP/1.1" 204 0 "-" "Dalvik/2.1.0 (Linux; U; Android 7.1.2; AFTMM Build/NS6266)" "2601:243:ca80:35ce:31dc:3f3f:5f8e:3718
forwarded_for
" 0.042 443 "MediaBrowser Client=\x22AndroidTv\x22, DeviceId=\x22dec6c5313ff588a2\x22, Device=\x22Bedroom TV\x22, Version=\x221.7.53a\x22, UserId=\x22e76db24xxxxxxxxxxxxd7a988641618\x22"

i want to extract a Field using regex, i would like out of the above string "1.7.53a" for field Version Various versions exist, one could be 4.3.0.15 or 1.7.53 or 1.7.53a etc... so basically in the above access log i want to grab that version field and get rid of the \x22 on each side of the version number.

Help with some basic REGEX please?

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...