topic How to extract the field "alert" with the field name action? in Splunk Search

How to extract the field "alert" with the field name action?

balu1211 — Fri, 02 Dec 2022 14:34:09 GMT

Hi,

how to extract the field "alert" with the field name action.

help with the regex..

Thanks.

Re: Help with the field extraction and regex

ITWhisperer — Tue, 29 Nov 2022 18:06:06 GMT

Please can you share some anonymised sample log events to clarify what it is you want to extract from where?

Re: Help with the field extraction and regex

yuanliu — Tue, 29 Nov 2022 18:21:06 GMT

I'm guessing

| rex "Last Matched Message: \",\"action\":\"(?<action>\w+)"

Re: Help with the field extraction and regex

balu1211 — Tue, 29 Nov 2022 18:38:47 GMT

XML

Re: Help with the field extraction and regex

ITWhisperer — Tue, 29 Nov 2022 18:33:28 GMT

| rex "(?<action>Last Matched Message: \",\"action\"\w+):\"alert\""

Re: Help with the field extraction and regex

balu1211 — Tue, 29 Nov 2022 18:47:36 GMT

This one is not working ...

Re: Help with the field extraction and regex

ITWhisperer — Tue, 29 Nov 2022 18:53:17 GMT

In what way is it not working?

Re: Help with the field extraction and regex

balu1211 — Tue, 29 Nov 2022 19:02:25 GMT

Regex is not matching with the XML log

Re: Help with the field extraction and regex

ITWhisperer — Tue, 29 Nov 2022 19:34:57 GMT

Please can you share an anonymised sample of the XML log you are trying to extract from?

Re: Help with the field extraction and regex

balu1211 — Wed, 30 Nov 2022 16:34:19 GMT

format":"json","version":"1.0",ta":"20829","":"","selector":"REQUEST_HEADERS:Content-Length","tag":"ASE/","id":"3000180","message":"Partial Request Body Inspection Warning - Request Body is larger than the configured inspection limit","version":"1"},{"data":"Vector Score: 1000, Group Threshold: 9, Triggered Rules: 3000180, Triggered Scores: 1000, Triggered Selector: REQUEST_HEADERS:Content-Length, Mitigated Rules: , "selector":"REQUEST_HEADERS:Content-L

Re: Help with the field extraction and regex

ITWhisperer — Wed, 30 Nov 2022 08:29:31 GMT

Sorry, there was an extra \w+ which was unnecessary

| makeresults | fields - _time ``` Set up example data ``` | eval _raw="format\":\"json\",\"version\":\"1.0\",\"attackData\":{\"rules\":[{\"data\":\"20829\",\"action\":\"alert\",\"selector\":\"REQUEST_HEADERS:Content-Length\",\"tag\":\"ASE/WEB_ATTACK/POLICY\",\"id\":\"3000180\",\"message\":\"Partial Request Body Inspection Warning - Request Body is larger than the configured inspection limit\",\"version\":\"1\"},{\"data\":\"Vector Score: 1000, Group Threshold: 9, Triggered Rules: 3000180, Triggered Scores: 1000, Triggered Selector: REQUEST_HEADERS:Content-Length, Mitigated Rules: , Last Matched Message: \",\"action\":\"alert\",\"selector\":\"REQUEST_HEADERS:Content-Length\",\"tag\":\"ASE/WEB_ATTACK/POLICY\",\"id\":\"POLICY-" ``` ---------------------- ``` ``` rex to extract the values ``` | rex "(?<action>Last Matched Message: \",\"action\"):\"alert\""

btw, your example is not XML, it looks more like part of a JSON message

Re: Help with the field extraction and regex

balu1211 — Wed, 30 Nov 2022 12:04:07 GMT

@ITWhisperer
I should get the variables "alert" or "deny " but using the below rex , the result it is showing
Last Matched Message: ","action"
| rex "(?<action>Last Matched Message: \",\"action\"):\"alert\""

Re: Help with the field extraction and regex

ITWhisperer — Wed, 30 Nov 2022 12:10:10 GMT

Where does "deny" come from?

Please provide events showing each of these conditions and how you determine when the "deny" or "alert" field should be populated? (I am assuming by variable you mean field!)

Re: Help with the field extraction and regex

balu1211 — Thu, 01 Dec 2022 03:03:25 GMT

Re: Help with the field extraction and regex

ITWhisperer — Wed, 30 Nov 2022 13:10:54 GMT

| rex "Last Matched Message: \",\"action\":\"(?<alert>alert)" | rex "Last Matched Message: \",\"action\":\"(?<deny>deny)"

Re: Help with the field extraction and regex

balu1211 — Wed, 30 Nov 2022 13:17:43 GMT

@ITWhisperer

is there any scope to get the variable deny/alert we get under one field extraction?

Re: Help with the field extraction and regex

ITWhisperer — Wed, 30 Nov 2022 14:25:51 GMT

| rex "Last Matched Message: \",\"action\":\"(?<alert>alert)|(?<deny>deny)"

Re: Help with the field extraction and regex

balu1211 — Fri, 02 Dec 2022 12:22:24 GMT

@ yuanliu @ITWhisperer

help in extracting the field AKAMAI/WAF/* ( * represents they may be values present followed by AKAMAI/WAF/------) in from "tag":"AKAMAI/WAF/PENALTYBOX"

thanks

Re: Help with the field extraction and regex

ITWhisperer — Fri, 02 Dec 2022 12:42:27 GMT

| rex "\"tag\":\"AKAMAI\/WAF\/(?<akamai_waf>[^\"]+)\""

Re: Help with the field extraction and regex

balu1211 — Mon, 05 Dec 2022 10:55:36 GMT

,............