topic Re: ReGex for certain data in Splunk Enterprise https://community.splunk.com/t5/Splunk-Enterprise/Help-with-ReGex-for-certain-data/m-p/610604#M13720 <P>You have two values (same) in the data. So, you can do this to extract and filter out the duplicates</P><LI-CODE lang="markup">| rex max_match=0 "TCP from (?&lt;TCP&gt;\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" | eval TCP=mvdedup(TCP)</LI-CODE> Wed, 24 Aug 2022 04:10:51 GMT bowesmana 2022-08-24T04:10:51Z Help with ReGex for certain data https://community.splunk.com/t5/Splunk-Enterprise/Help-with-ReGex-for-certain-data/m-p/610600#M13719 <P>Hi peeps,</P> <P>Need help in extracting some fields;</P> <P>Sample logs:</P> <P>Aug 24 09:30:43 101.11.10.01 CEF:0|KasperskyLab|SecurityCenter|13.2.0.1511|GNRL_EV_ATTACK_DETECTED|Network attack detected|4|msg=User: NT AUTHORITY\\SYSTEM (System user)\r\nComponent: Network Threat Protection\r\nResult description: Blocked\r\nName: Scan.Generic.PortScan.TCP\r\nObject: <STRONG><FONT color="#FF0000">TCP from <U>101.11.10.01</U></FONT></STRONG> at 101.11.10.01:25\r\nObject type: Network packet\r\nObject name: TCP from 101.11.10.01 at 101.11.10.01\r\nAdditional: 101.11.10.01\r\nDatabase release date: 23/8/2022 12:26:00 PM rt=1661304218000 cs9=Workstation cs9Label=GroupName dhost=082HALIM141 dst=101.11.10.01 cs2=KES cs2Label=ProductName cs3=11.0.0.0 cs3Label=ProductVersion cs10=Network Threat Protection cs10Label=TaskName cs1=Scan.Generic.PortScan.TCP cs1Label=AttackName cs6=TCP cs6Label=AttackedProtocol cs4=2887053442 cs4Label=AttackerIPv4 cs7=25 cs7Label=AttackedPort cs8=2887125841 cs8Label=AttackedIP</P> <P>&nbsp;</P> <P>Aug 24 09:30:43 101.11.10.01 CEF:0|KasperskyLab|SecurityCenter|13.2.0.1511|GNRL_EV_ATTACK_DETECTED|Network attack detected|4|msg=User: NT AUTHORITY\\SYSTEM (System user)\r\nComponent: Network Threat Protection\r\nResult description: Blocked\r\nName: Scan.Generic.PortScan.TCP\r\nObject: TCP from 101.11.10.01 at 101.11.10.01:42666\r\nObject type: Network packet\r\nObject name: <FONT color="#FF0000"><STRONG>TCP from <U>101.11.10.01</U></STRONG></FONT> at 101.11.10.01:42666\r\nAdditional: 101.11.10.01\r\nDatabase release date: 23/8/2022 12:26:00 PM rt=1661304218000 cs9=Workstation cs9Label=GroupName dhost=082HALIM141 dst=101.11.10.01 cs2=KES cs2Label=ProductName cs3=11.0.0.0 cs3Label=ProductVersion cs10=Network Threat Protection cs10Label=TaskName cs1=Scan.Generic.PortScan.TCP cs1Label=AttackName cs6=TCP cs6Label=AttackedProtocol cs4=2887053442 cs4Label=AttackerIPv4 cs7=42666 cs7Label=AttackedPort cs8=2887125841 cs8Label=AttackedIP</P> <P>&nbsp;</P> <P>I need help to extract the underline value for fields name TCP.</P> <P>Sample:&nbsp;</P> <P><STRONG>TCP=<FONT color="#000000">101.11.10.01</FONT></STRONG></P> <P>Please help. Thanks.</P> Wed, 24 Aug 2022 14:22:41 GMT https://community.splunk.com/t5/Splunk-Enterprise/Help-with-ReGex-for-certain-data/m-p/610600#M13719 syazwani 2022-08-24T14:22:41Z Re: ReGex for certain data https://community.splunk.com/t5/Splunk-Enterprise/Help-with-ReGex-for-certain-data/m-p/610604#M13720 <P>You have two values (same) in the data. So, you can do this to extract and filter out the duplicates</P><LI-CODE lang="markup">| rex max_match=0 "TCP from (?&lt;TCP&gt;\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" | eval TCP=mvdedup(TCP)</LI-CODE> Wed, 24 Aug 2022 04:10:51 GMT https://community.splunk.com/t5/Splunk-Enterprise/Help-with-ReGex-for-certain-data/m-p/610604#M13720 bowesmana 2022-08-24T04:10:51Z