Extraction using rex

rkris — Wed, 12 Aug 2020 15:50:16 GMT

This is a dashboard panel that i've created by extracting virus information from a log file

This is my search query

I actually want to see only the virus names and the IP addresses. So, it should look like this:

How would I change my regex to obtain this result?

Re: Extraction using rex

richgalloway — Wed, 12 Aug 2020 19:25:19 GMT

If you can share your sample data as text instead of a screen shot then we can test with it.

Re: Extraction using rex

rkris — Thu, 13 Aug 2020 13:00:13 GMT

@richgalloway

This is my sample data in text format:

Apr 23 14:13:35 [143.5.113.3] snort[1976]: [1:729:1] Virus - Possible scr Worm <\Device\Packet_{D3446BC6-343C-4C0C-8A29-AC6161C9D0F3}> TCP 37.236.185.162:80 -> 10.10.50.218:100

Apr 23 14:13:35 [143.5.113.3] snort[1976]: [1:779:1] Virus - Possible NewApt.Worm - gadget.exe <\Device\Packet_{D3446BC6-343C-4C0C-8A29-AC6161C9D0F3}> TCP 161.38.138.124:80 -> 10.10.50.85:100

Apr 23 14:13:35 [143.5.113.3] snort[1976]: [1:757:1] Virus - Possible Y2K Zelu Trojan <\Device\Packet_{D3446BC6-343C-4C0C-8A29-AC6161C9D0F3}> TCP 187.226.150.129:80 -> 10.10.50.102:100

Apr 23 14:13:35 [143.5.113.3] snort: [1:767:1] Virus - Possible NewApt.Worm - baby.exe [Classification: ] [Priority: ]: {PROTOCOL} 222.190.104.160:58287 -> 26.73.78.96:25

Apr 23 14:13:35 [143.5.113.3] snort[1976]: [1:727:1] Virus - Possible MyRomeo Worm <\Device\Packet_{D3446BC6-343C-4C0C-8A29-AC6161C9D0F3}> TCP 149.170.61.35:80 -> 10.10.50.154:100

Apr 23 14:13:35 [143.5.113.3] snort[1976]: [1:800:1] Virus - Possible Resume Worm <\Device\Packet_{D3446BC6-343C-4C0C-8A29-AC6161C9D0F3}> TCP 234.87.141.144:80 -> 10.10.50.17:100

Apr 23 14:13:35 [143.5.113.3] snort: [1:801:1] Virus - Possible Worm - doc.vbs file [Classification: ] [Priority: ]: {PROTOCOL} 240.81.210.240:58287 -> 66.56.229.39:25

Apr 23 14:13:35 [143.5.113.3] snort: [1:757:1] Virus - Possible Y2K Zelu Trojan [Classification: ] [Priority: ]: {PROTOCOL} 60.151.205.115:58287 -> 110.244.14.35:25

Apr 23 14:13:50 [143.5.113.3] snort: [1:2266:1] VIRUS OUTBOUND .doc file attachment [Classification: ] [Priority: ]: {PROTOCOL} 234.182.233.181:58287 -> 0.235.220.175:25

Apr 23 14:13:39 [143.5.113.3] snort[1976]: [1:1234:1] WEB-MISC VirusWall FtpSaveCSP access <\Device\Packet_{D3446BC6-343C-4C0C-8A29-AC6161C9D0F3}> TCP 192.69.129.252:80 -> 10.10.50.30:100

Apr 23 14:13:35 [143.5.113.3] snort: [1:730:1] Virus - Possible shs Worm [Classification: ] [Priority: ]: {PROTOCOL} 145.134.206.152:58287 -> 112.8.113.14:25

Apr 23 14:13:35 [143.5.113.3] snort[1976]: [1:732:1] Virus - Possible QAZ Worm Infection <\Device\Packet_{D3446BC6-343C-4C0C-8A29-AC6161C9D0F3}> TCP 36.75.150.0:80 -> 10.10.50.229:100

I only want to retrieve the virus names and IP addresses which are highlighted in red.

And this is my search query in text format:

source="General-linux-sql.log" sourcetype="Linux"
|rex field=_raw "Virus\s-\s(?<virus_name>.*)"
| table virus_name
| stats count by virus_name

Re: Extraction using rex

richgalloway — Thu, 13 Aug 2020 14:02:32 GMT

Thanks for the sample data. This rex command isn't perfect, but should get you close to want you seek.

| rex "snort(?:\[[^\]]+])?: \[[^\]]+] (?<virus>[^\[\<]+).+(?:\{PROTOCOL}|TCP) (?<ip>.*)"

topic Extraction using rex in Splunk Search

Extraction using rex

Re: Extraction using rex

Re: Extraction using rex

Re: Extraction using rex