https://community.splunk.com/t5/Splunk-Enterprise-Security/In-Splunk-Enterprise-Security-how-do-you-use-a-regular/m-p/402987#M4617 <P>I want to make a usecase that will detect the usage of several destination port numbers. For this, I think it's easiest to use a regular expression. But I'm not sure. I'm also having trouble implementing a regular expression into my query. I've never worked with them before. </P> <P>Please evaluate the following information and tell me what you think is best to develop the query. </P> <OL> <LI>The usecase must be easy to add or remove any port numbers from, in case we want to detect other things.</LI> <LI>The usecase must be able to detect ranges of port numbers when indicated.</LI> </OL> <P>Now, for what I've tried is the following: </P> <BLOCKQUOTE> <P>index=network <BR /> | regex dest_port&gt;="688[1-9]"</P> </BLOCKQUOTE> <P>But this doesn't work. I will use datamodel later. <BR /> The range for the ports is: </P> <UL> <LI>6881 to 6889</LI> <LI>6969</LI> </UL> <P>In addition to those ports, we also want it to alert when it finds the following strings in the field app_category:</P> <UL> <LI>app_category field contains tracker</LI> <LI>app_category field contains torrent</LI> </UL> <P>Any help would be much appreciated. I think someone with a lot of regular expression experience will be able to make the query easily, I've been stuck on it for hours sadly and I would love some help.</P> <P>Thanks!</P> Fri, 11 Jan 2019 11:44:09 GMT kokanne 2019-01-11T11:44:09Z https://community.splunk.com/t5/Splunk-Enterprise-Security/In-Splunk-Enterprise-Security-how-do-you-use-a-regular/m-p/402987#M4617 <P>I want to make a usecase that will detect the usage of several destination port numbers. For this, I think it's easiest to use a regular expression. But I'm not sure. I'm also having trouble implementing a regular expression into my query. I've never worked with them before. </P> <P>Please evaluate the following information and tell me what you think is best to develop the query. </P> <OL> <LI>The usecase must be easy to add or remove any port numbers from, in case we want to detect other things.</LI> <LI>The usecase must be able to detect ranges of port numbers when indicated.</LI> </OL> <P>Now, for what I've tried is the following: </P> <BLOCKQUOTE> <P>index=network <BR /> | regex dest_port&gt;="688[1-9]"</P> </BLOCKQUOTE> <P>But this doesn't work. I will use datamodel later. <BR /> The range for the ports is: </P> <UL> <LI>6881 to 6889</LI> <LI>6969</LI> </UL> <P>In addition to those ports, we also want it to alert when it finds the following strings in the field app_category:</P> <UL> <LI>app_category field contains tracker</LI> <LI>app_category field contains torrent</LI> </UL> <P>Any help would be much appreciated. I think someone with a lot of regular expression experience will be able to make the query easily, I've been stuck on it for hours sadly and I would love some help.</P> <P>Thanks!</P> Fri, 11 Jan 2019 11:44:09 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/In-Splunk-Enterprise-Security-how-do-you-use-a-regular/m-p/402987#M4617 kokanne 2019-01-11T11:44:09Z https://community.splunk.com/t5/Splunk-Enterprise-Security/In-Splunk-Enterprise-Security-how-do-you-use-a-regular/m-p/402988#M4618 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/96384">@kokanne</a> ,</P> <P>For the dest_port, try</P> <PRE><CODE>index=network | regex dest_port="688[1-9]|6969" </CODE></PRE> <P>and for the app_category, you could search with <CODE>(app_category="*tracker*" OR app_category="*torrent*")</CODE></P> <P>Or if both conditions are to be matched , try</P> <PRE><CODE>index=network |where (match(dest_port,"688[1-9]|6969") OR match(app_category,"tracker|torrent")) </CODE></PRE> Tue, 29 Sep 2020 22:44:59 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/In-Splunk-Enterprise-Security-how-do-you-use-a-regular/m-p/402988#M4618 renjith_nair 2020-09-29T22:44:59Z https://community.splunk.com/t5/Splunk-Enterprise-Security/In-Splunk-Enterprise-Security-how-do-you-use-a-regular/m-p/402989#M4619 <P>Like this (breaks down at 1000 values):</P> <PRE><CODE>index=network [ |makeresults | eval port=mvappend(mvrange(6881, 6889, 1), "6969") | format ] </CODE></PRE> Sat, 12 Jan 2019 00:25:43 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/In-Splunk-Enterprise-Security-how-do-you-use-a-regular/m-p/402989#M4619 woodcock 2019-01-12T00:25:43Z https://community.splunk.com/t5/Splunk-Enterprise-Security/In-Splunk-Enterprise-Security-how-do-you-use-a-regular/m-p/402990#M4620 <P>Do NOT use <CODE>regex</CODE> because it does not map-reduce and you will pull all the values out only to throw them away and your search will take 1000x longer than the way that I just showed you.</P> Sat, 12 Jan 2019 00:26:33 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/In-Splunk-Enterprise-Security-how-do-you-use-a-regular/m-p/402990#M4620 woodcock 2019-01-12T00:26:33Z