Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Other Using Splunk
- :
- Alerting
- :
- Pulling extracts from Snort alerts
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm trying to be less dependent on automated regex and learn more about doing my own regex for field extractions. I have have these fields from Snort (IP addresses have been modified):
12/27-13:46:30.535369 [**] [1:2019876:2] ET SCAN SSH BruteForce Tool with fake PUTTY version [**] [Classification: Detection of a Network Scan] [Priority: 3] {TCP} 100.31.116.39:35016 -> 172.20.16.2:22
12/27-13:34:12.027500 [**] [1:2500056:4184] ET COMPROMISED Known Compromised or Hostile Host Traffic TCP group 30 [**] [Classification: Misc Attack] [Priority: 2] {TCP} 100.83.149.133:58061 -> 172.20.16.2:22
I'm trying to extract between the first [**] and the second [**] giving me:
ET SCAN SSH BruteForce Tool with fake PUTTY version
AND
ET COMPROMISED Known Compromised or Hostile Host Traffic TCP group 29
The extract I put together is:
^\d{2}\/\d{2}-\d{2}:\d{2}:\d{2}\.\d{6}\s\s\[\*\*\]\s\[\d{1,3}:\d{2,7}:\d{1,4}\]\s(?P\D{15,75}\s)\[\*\*\]
It works on everything that doesn't end in a number such as TCP group 30, approximately 10% of my alerts end in a number such as 30. I've tried everything I can think of. Any help would be greatly appreciated!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Solved myself ^\d{2}\/\d{2}-\d{2}:\d{2}:\d{2}\.\d{6}\s\s\[\*\*\]\s\[\d{1,3}:\d{2,7}:\d{1,4}\]\s(?P<alert>((\D|\d){15,75})\s)\[\*\*\]
Just goes to show, leave it alone for a bit and then come back.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Please try this regex:
your query to return events
|rex " \[\*\*\].*?\](?<etCapturedData>[^\[]+)\s*\[\*\*\]"
| table etCapturedData
You can rename etCapturedData field to any name of your choice by changing in (?<etCapturedData>[^\[]+)
For the Extraction and its explanation (check the right hand side columns) here
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The Rex does work, but I was looking for Field Extractions, I'm assuming this is probably a more elegant way of extracting than I used.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Same regex would have worked well in the field extraction too. But if you have solved it, then good, else this regex above is much more compact and will not be too dependent on the strict sequences of \d{n} as your regex might fail if:
- The
\d'swere to mismatch in any log line. - If the content within the capturing group
(\D|\d){15,75})were to exceed 75 chars.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Solved myself ^\d{2}\/\d{2}-\d{2}:\d{2}:\d{2}\.\d{6}\s\s\[\*\*\]\s\[\d{1,3}:\d{2,7}:\d{1,4}\]\s(?P<alert>((\D|\d){15,75})\s)\[\*\*\]
Just goes to show, leave it alone for a bit and then come back.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass
May 2026 Splunk Expert Sessions: Security & Observability
