Solved: how to rex field number of infected file for clama...

cyberportnoc · ‎07-10-2017

Jul 10 06:59:22 icopenstack01 clamav[9040]: Infected files: 0
source = /var/log/remote/icopenstack01.log sourcetype = icopenstack-too_small

how to rex field the number after Infected files:

"Infected files:" | rex field=_raw "Infected files: (?\d+.)" | convert timeformat="%Y-%m-%d" ctime(_time) AS date | table source, date, Infected | where date=strftime(now(), "%Y-%m-%d")

i use this query but Infected field is empty

cpetterborg · ‎07-10-2017

You need to name the field you extracted (?P<Infected>\d+):

"Infected files:" | rex field=_raw "Infected files: (?P<Infected>\d+)" | convert timeformat="%Y-%m-%d" ctime(_time) AS date | table source, date, Infected | where date=strftime(now(), "%Y-%m-%d")

View solution in original post

somesoni2 · ‎07-10-2017

I believe an additional dot at the end of your regex (after \d+) is causing your field extractions to fail. Use exact regex given by cpetterborg.

Also, when you post code/search, do remember to (after selecting the code/search) click on 101010 button or press Ctrl+K to format it, else, you'll lose special characters like capturing groups.

cpetterborg · ‎07-10-2017

You need to name the field you extracted (?P<Infected>\d+):

"Infected files:" | rex field=_raw "Infected files: (?P<Infected>\d+)" | convert timeformat="%Y-%m-%d" ctime(_time) AS date | table source, date, Infected | where date=strftime(now(), "%Y-%m-%d")

cyberportnoc · ‎07-11-2017

"Infected files:" | rex field=_raw "Infected files: (?\d*)" | convert timeformat="%Y-%m-%d" ctime(_time) AS date | table source, date, Infected | where date=strftime(now(), "%Y-%m-%d")

after tried many times, discover d* can solve this

how to rex field number of infected file for clamav scan report?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms