topic Re: search time regular expression. in Security

search time regular expression.

jsuryaprakash — Wed, 30 Sep 2020 01:34:56 GMT

Hi All , below is my sample data. We are receiving data using key=value pairs like below.

time=time1 | dest_ip=abmncd.com-123.45.64.78|src_ip=nahahha.com-142.36.28.69|action=success........

I just want to extract just ip address's from dest_ip and src_ip fields at search time in props.conf . when i write rex in search its working, below is my search command which is working..

index =test | rex field=dest_ip "(?(\d{1,3}.){3}\d{1,3})" |rex field src_ip "(?(\d{1,3}.){3}\d{1,3})"

But when i create inline extract in props.conf its not working.

[sourcetype]
EXTRACT-dest_ip = dest_ip="(?(\d{1,3}.){3}\d{1,3})"
EXTRACT-src_ip = src_ip ="(?(\d{1,3}.){3}\d{1,3})"

We need to use the same field names to work with CIM datamodels. we are ok with search time extraction or index time extractions also.Please help

Thanks

Re: search time regular expression.

gaurav_maniar — Fri, 02 Aug 2019 08:46:27 GMT

Hi Jsuryaprakash,

Your EXTRACT stanza syntax is incorrect, change it to

EXTRACT-dest_ip = dest_ip\=[^\-]+\-(?P<dest_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})
EXTRACT-src_ip = src_ip\=[^\-]+\-(?P<src_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})

Please upvote and accept the answer if it helps.

Re: search time regular expression.

jsuryaprakash — Fri, 02 Aug 2019 13:30:04 GMT

No, its not working. Still field are coming with dns name ip combinations.

Re: search time regular expression.

gaurav_maniar — Wed, 07 Aug 2019 14:39:17 GMT

Splunk restart is restart is required if any configuration changes are done, have restarted splunk after these configuration changes?

Even after restart it doesn't work, let me know.