https://community.splunk.com/t5/Splunk-Search/Help-with-regex/m-p/178225#M51268 <P>Where are the logs coming from? There might be an exisiting TA to handle extractions.</P> Fri, 13 Dec 2013 16:35:37 GMT alacercogitatus 2013-12-13T16:35:37Z https://community.splunk.com/t5/Splunk-Search/Help-with-regex/m-p/178224#M51267 <P>Greetings, I am trying to write a regex but am not successful as of yet. I am trying to match the:</P> <P>Bot: Mariposa Command and Control<BR /> Suspicious user-agent strings<BR /> Kelihos.Gen Command And Control Traffic</P> <P>from these logs:</P> <P>Dec 12 15:08:55 ngf01.ourdomain.com 1,2013/12/12 15:08:55,0009C101128,THREAT,spyware,1,2013/12/12 15:08:49,192.155.89.148,10.17.41.22,0.0.0.0,0.0.0.0,Enterprise-URL-Filter,,,unknown-udp,vsys1,untrust,trust,ethernet1/2,ethernet1/1,Panorama-Log-Forwarding,2013/12/12 15:08:55,1821341,1,7006,2059,0,0,0x80004000,udp,alert,"",Bot: Mariposa Command and Control(12652),any,critical,server-to-client,14479581293,0x0,United States,10.0.0.0-10.255.255.255,0,</P> <P>Dec 12 14:42:37 ngf01.ourdomain.com 1,2013/12/12 14:42:37,0009C101128,THREAT,spyware,1,2013/12/12 14:42:31,82.80.204.14,10.33.112.112,0.0.0.0,0.0.0.0,Enterprise-URL-Filter,,,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,Panorama-Log-Forwarding,2013/12/12 14:42:36,2034205,1,80,52924,0,0,0x80004000,tcp,alert,"ceb.aspx",Suspicious user-agent strings(10004),any,medium,server-to-client,14477791661,0x0,Israel,10.0.0.0-10.255.255.255,0,</P> <P>Dec 12 15:05:59 ngf01.ourdomain.com 1,2013/12/12 15:05:59,0009C101128,THREAT,spyware,1,2013/12/12 15:05:54,211.120.150.217,10.17.31.175,0.0.0.0,0.0.0.0,Enterprise-URL-Filter,,,unknown-tcp,vsys1,untrust,trust,ethernet1/2,ethernet1/1,Panorama-Log-Forwarding,2013/12/12 15:05:59,1312191,1,80,2091,0,0,0x80004000,tcp,alert,"",Kelihos.Gen Command And Control Traffic(13390),any,critical,server-to-client,14479382956,0x0,Japan,10.0.0.0-10.255.255.255,0,</P> <P>Any help would be greatly appreciated!</P> <P>Dave</P> Fri, 13 Dec 2013 16:21:17 GMT https://community.splunk.com/t5/Splunk-Search/Help-with-regex/m-p/178224#M51267 ccsfdave 2013-12-13T16:21:17Z https://community.splunk.com/t5/Splunk-Search/Help-with-regex/m-p/178225#M51268 <P>Where are the logs coming from? There might be an exisiting TA to handle extractions.</P> Fri, 13 Dec 2013 16:35:37 GMT https://community.splunk.com/t5/Splunk-Search/Help-with-regex/m-p/178225#M51268 alacercogitatus 2013-12-13T16:35:37Z https://community.splunk.com/t5/Splunk-Search/Help-with-regex/m-p/178226#M51269 <P>It is coming from a Palo Alto 5050. I am now looking through the PAN app. Thanks.</P> Fri, 13 Dec 2013 17:00:09 GMT https://community.splunk.com/t5/Splunk-Search/Help-with-regex/m-p/178226#M51269 ccsfdave 2013-12-13T17:00:09Z https://community.splunk.com/t5/Splunk-Search/Help-with-regex/m-p/178227#M51270 <P>OK, so the PAN app has it, how do I find the regex or how it defines the "threat_id" field from the app?</P> Fri, 13 Dec 2013 17:03:39 GMT https://community.splunk.com/t5/Splunk-Search/Help-with-regex/m-p/178227#M51270 ccsfdave 2013-12-13T17:03:39Z https://community.splunk.com/t5/Splunk-Search/Help-with-regex/m-p/178228#M51271 <P>Ugh, I think I can pull this out now. So PAN looks to the 5 digit code after the threat: 12652, 10004, 13390 (from above) and then looks up that code in a lookup to come up with the name of the threat.</P> <P>I think I can take it from here. Thanks alacercogitatus for pointing me in the right direction.</P> Fri, 13 Dec 2013 17:22:32 GMT https://community.splunk.com/t5/Splunk-Search/Help-with-regex/m-p/178228#M51271 ccsfdave 2013-12-13T17:22:32Z