topic How to replace a string with RegEx in search result in Splunk Search

How to replace a string with RegEx in search result

Dolfing — Wed, 15 Jun 2022 08:33:04 GMT

I have my Sonicwall logfiles coming into Splunk. By searching this index I want to replace "dst" (Destination IP address) without portnumber and interface with (for example) RegEx. Note that the formats used for "src" and "dst" = (ip address):(port number):(interface)

So when I do a search like (NOTE: the red sentence is my own attempt, however, it does not give a result I had in mind.):

index=sonicwall msg="Connection Opened" OR msg="Connection Closed" earliest=-2m latest=-1m
| eval dst=if(match(dst, "\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}:\d{1,5}:X\d{1}"), dst, replace(dst, "(\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}):\d{1,5}:X\d{1}","\1"))
| stats first(_time) as _time by src dst proto msg
| inputlookup append=t firewall_open_connections
| fillnull msg value="Connection Opened"
| eval closed=if(msg="Connection Closed",_time,"1")
| eval open=if(msg="Connection Opened",_time,"1")
| stats first(open) as open first(closed) as closed by src dst proto
| where open > closed
| rename open as _time
| fields src dst proto _time
| outputlookup firewall_open_connections

Results in:

src	dst	proto	_time
10.0.1.5:50492:X2	8.8.8.8:53:X1	udp/dns	2022-06-14 15:40:08
192.168.1.100:37016:X0	54.81.233.206:443:X1	tcp/https	2022-06-14 15:39:01
192.168.1.100:38376:X0	104.244.42.130:443:X1	tcp/https	2022-06-14 14:49:14
192.168.1.100:38611:X0	172.217.132.170:443:X1	udp/https	2022-06-14 15:37:51

Now I would like the "dst" results to be stripped of :(port number):(interface)or :(interface). In other words, only the IP address should remain

How do I do that within my query in Splunk with for example RegEx (or another method)?

Any tip is welcome, am very new to Splunk.

Re: How to replace a string with RegEx in search result

rymundo_splunk — Thu, 16 Jun 2022 16:26:30 GMT

Hi, I think you want to use the rex command here. In my example below, I am taking the leading four octets of src and dst and putting them into new fields named src_after and dst_after. Everything after the first four octets is ignored. All of the stuff in |makeresults and |spath is just for me to build up some fake data using what you provided. The part you want to look at starts with the |rex steps. I hope this helps.

| makeresults | eval json="{ \"src\":\"10.0.1.5:50492:X2\", \"dst\":\"8.8.8.8:53:X1\" }"
| append [| makeresults | eval json="{ \"src\":\"192.168.1.100:37016:X0\", \"dst\":\"54.81.233.206:443:X1\" }"]
| append [| makeresults | eval json="{ \"src\":\"192.168.1.100:38376:X0\", \"dst\":\"104.244.42.130:443:X1\" }"]
| append [| makeresults | eval json="{ \"src\":\"192.168.1.100:38611:X0\", \"dst\":\"172.217.132.170:443:X1\" }"]
| spath input=json
| rex field=src "^(?<src_after>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"
| rex field=dst "^(?<dst_after>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"
| table src src_after dst dst_after

Re: How to replace a string with RegEx in search result

PickleRick — Thu, 16 Jun 2022 19:22:24 GMT

You can use replace() function to trim everything from the semicolon to the end of the field.

| eval dst=replace(dst,":.*","")

Re: How to replace a string with RegEx in search result

Dolfing — Mon, 20 Jun 2022 08:16:57 GMT

Thank you, this is a simple and effective way that I was looking for. Really appreciate it.

Re: How to replace a string with RegEx in search result

Dolfing — Mon, 20 Jun 2022 08:22:07 GMT

Thank you for your answer. Definitely much appreciated. However, this is not the solution I was looking for because I have to change everything myself or include it in a regex list. However, the examples in my post were only a few lines, but the actual result is thousands of lines.