Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Other Using Splunk
- :
- Alerting
- :
- Re: Remove " from capture group after matching key...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have syslogs where formatting is not consistent and values I am looking for may be enclosed in quotes. Example below:
alertMessage="User logged in" or alertMessage=User logged in
The regex expression I am using finds the full message but includes " for the event with quotes around the message.
alertMessage=(?:[^\"]+\")?(?<msg>.[a-zA-z0-9 ]*)
End up with msg=User logged in or msg="User logged in. What do I need to modify in the regex expression so that it will ignore the " and only return the message without quotes in the beginning?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try alertMessage=\"?(?<msg>[a-zA-z0-9 ]*). It works in this example:
| makeresults
| eval foo="alertMessage=User logged in"
| append
[| makeresults
| eval foo="alertMessage=\"User logged in\""]
| rex field=foo "alertMessage=\"?(?<msg>[a-zA-z0-9 ]*)"
I just made the first quote optional, and the msg field can only contain alphanumerics or a space, which leaves out the second quote.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
alertMessage="/"(?:[^\"]+)/""
use this rex if it wont work
alertMessage="\"(?:[^\"]+)\""
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try alertMessage=\"?(?<msg>[a-zA-z0-9 ]*). It works in this example:
| makeresults
| eval foo="alertMessage=User logged in"
| append
[| makeresults
| eval foo="alertMessage=\"User logged in\""]
| rex field=foo "alertMessage=\"?(?<msg>[a-zA-z0-9 ]*)"
I just made the first quote optional, and the msg field can only contain alphanumerics or a space, which leaves out the second quote.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This worked, appreciate the assistance.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
why not use something like
|eval alertMessage=replace(alertMessage,"\"","")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Have not thought of that but trying to leverage field extractions so I can parse out the different messages. These are from Ixia syslogs and they are not very consistent on the formatting of the event messages.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Do you need the dot after <msg>? That would match any single character, right?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Probably should have added this as well.
May 8 15:42:39 system xconfigd: Sent ixiaUserAuthenticationStatusChangedTrap trap: { alertSequence=200, eventIndex=0, alertSeverity=2, alertType=640901010b000100, alertDateTime=2019-05-08T15:42:39.000:00, alertMessage="User logged out", userSessionsName="admin", userSessionsSessionId=5104774, userSessionsPrivlevel=1, userSessionsAuthMethod="external", userSessionsIpAddr=0a130f87, userSessionsPort=54095, userSessionsClientType="webui", userSessionsLoginTime="2019-05-08_14:48:51", userSessionsProtocol=7, userSessionsType=0, userSessionsSrvip=0.0.0.0, aaaServerStatusCurrStatus=4 }
May 8 10:48:57 system confd[560]: snmp snmpv2-trap reqid=1738996040 34.34.87.112:162 (TimeTicks sysUpTime=1675091498)(OBJECT IDENTIFIER snmpTrapOID=ixiaUserAuthenticationStatusChangedTrap)(Unsigned32 alertSequence=182)(Unsigned32 eventIndex=0)(INTEGER alertSeverity=2)(OCTET STRING alertType=64:09:01:01:0B:00:01:00)(OCTET STRING alertDateTime=07:E3:05:08:0A:30:39:00:2B:00:00)(OCTET STRING alertMessage=User logged out)(OCTET STRING userSessionsName.0.=admin)(INTEGER userSessionsSessionId.0.=5490289)(INTEGER userSessionsPrivlevel.0.=1)(OCTET STRING userSessionsAuthMethod.0.=pam)(OCTET STRING userSessionsIpAddr.0.=0A:12:0F:87)(Unsigned32 userSessionsPort.0.=54603)(OCTET STRING userSessionsClientType.0.=webui)(OCTET STRING userSessionsLoginTime.0.=2019-05-08_09:56:54)(INTEGER userSessionsProtocol.0.=7)(INTEGER userSessionsType.0.=0)(IpAddress userSessionsSrvip.0.=0.0.0.0)(INTEGER aaaServerStatusCurrStatus.0.=4)
Apr 28 08:35:36 system confd[562]: snmp snmpv2-trap reqid=555570968 45.12.100.124:162 (TimeTicks sysUpTime=816688009)(OBJECT IDENTIFIER snmpTrapOID=uapHeartbeatStatusChangedTrap)(Unsigned32 alertSequence=250)(Unsigned32 eventIndex=530)(INTEGER alertSeverity=2)(OCTET STRING alertType=01:01:64:01:09:01:01:0D:00:01:00:00)(OCTET STRING alertDateTime=07:E3:04:1C:08:23:24:00:2B:00:00)(OCTET STRING alertMessage=Heartbeat 2 status changed from failed to active)(OCTET STRING port=2)(OCTET STRING uapHeartbeatPeer.0.=1)(INTEGER uapHeartbeatAdmin.0.=1)(INTEGER uapHeartbeatStatus.0.=1)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Looks like it. Taking it out does not pull over the message in quotes.
Tech Talk Recap | Mastering Threat Hunting
Observability for AI Applications: Troubleshooting Latency
Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?
