topic Re: Regex replace field text in Splunk Search

Regex replace field text

g_paternicola — Thu, 29 Oct 2020 07:29:17 GMT

Hello everyone,

I was wondering if this kind of search is possible. I want to replace the text from my search which looks like this:

eventtype=zyxel_user sourcetype="zyxel-fw" msg="Failed login attempt to Device from *"
| stats count by msg
| rex field=msg mode=sed "s/'Failed login attempt to Device from ssh (incorrect password or inexistent username)'/SSH/g"

Basically, I want to get instead of this long string (Failed login attempt to Device.....) just SSH, so I can create a Pie Chart with this information.

Is that possible?

Thank you very much for helping me!

Re: Regex replace field text

gcusello — Thu, 29 Oct 2020 07:36:02 GMT

Hi @g_paternicola,

why didn't you try your search? it seems to be almost correct:

you have only to escape special chars as ():

eventtype=zyxel_user sourcetype="zyxel-fw" msg="Failed login attempt to Device from *" | stats count by msg | rex field=msg mode=sed "s/Failed login attempt to Device from ssh \(incorrect password or inexistent username\)/SSH/g"

You could also explore the replace command (https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Replace)

Ciao.

Giuseppe

Re: Regex replace field text

g_paternicola — Thu, 29 Oct 2020 07:47:17 GMT

Hi Giuseppe, my name is also Giuseppe 🙂

I didn't thought about search, thank you! Ohh man, I tried to escape, but I put just one \ at the beginning and not also at the end.

Just in case I have more of this kind of strings, do I also have to put for each one (e.g. FTP, HTTP, etc..) a different sed command?

Re: Regex replace field text

gcusello — Thu, 29 Oct 2020 08:16:09 GMT

Hi Giuseppe,

it's a pleasure to know you!

Anyway, if you have to replace many strings, you could create a lookup containing all these pairs for transformations and use it with the lookup command.

I don't like it, but you could also create an automatic lookup so everytime you have there strings they are automatically changed.

Ciao Giuseppe

P.S.: if you're italian, there's finally a Splunk User Group also in Italy;

Karma Points are appreciated ;-).

Re: Regex replace field text

g_paternicola — Thu, 29 Oct 2020 08:22:04 GMT

Yes, I could use a lookup command but for now I'm gonna use the replace command :). But in the future if the results are gonna be bigger and bigger with more than only ssh, ftp and http, then yes, I will use the lookup command in order to automate it... thank you!