Getting Data In

Checking multiple Regex against once sourcetype

Drainy
Champion

I'm trying to define multiple REGEX for one sourcetype. Because the events can vary massively I need to have different regex to recognise the different events.

Here are the contents of my props and transforms confs;
transforms.conf

[tcpdump_basic]
REGEX = ([^ ]+)([ ])([^ ]+) ([>]) ([^,]+)([^ ]) ([^ ]+) ([^ ]+) ([^ ]+) ([^ ]+[^:]+) ([^ ]+) ([1-2]{0,1}[0-9]{1,2}\.[1-2]{0,1}[0-9]{1,2}\.[1-2]{0,1}[0-$
FORMAT = timestamp::$1 src_mac::$3 dest_mac::$5 net_layer::$8 source_host::$12 source_port::$14 destin_host::$16 destin_port::$18 protocol::$20

[tcpdump_vlan]
REGEX = ([^ ]+)([ ])([^ ]+) ([>]) ([^,]+)([^ ]) ([^ ]+) ([^ ]+) ([^ ]+) ([^ ]+)([^:]+)([^ ]+) ([^ ]+) ([^,]+)([^ ]+)([^,]+)([^ ]+)([^,]+)([^ ]+)([^,]+)$
FORMAT = timestamp::$1 src_mac::$3 dest_mac::$5 encapsulation::$8 packet_length::$11 vlan_id::$14 message::$28


props.conf

[packet-capture]

DATETIME_CONFIG = CURRENT
LINE_BREAKER = ([\r\n]+)(\d+)(:)(\d+)(:)(\d+)(\.)(\d+)

REPORT-tcpdump_basic = tcpdump_basic
REPORT-tcpdump_vlan = tcpdump_vlan

The tcpdump_basic format always takes effect against the relevant events but the vlan one never takes effect. According to RegExr it should recognise the event its based on (I used RegExr to build the first regex too).
Some example data;

The one that tcpdump_basic correctly identifies;

17:59:01.098070 00:21:85:6f:cc:cb > 01:00:5e:00:00:fc, ethertype IPv4 (0x0800), length 75: 192.168.254.6.61231 > 224.0.0.252.5355: UDP, length 33

The one that I want tcpdump_vlan to identify and the regex appears to work on RegExr but it isn't working with the setup shown above, or when just used alone;

18:14:56.431181 00:0f:90:e9:12:c2 > 01:80:c2:00:00:00, ethertype 802.1Q (0x8100), length 64: vlan 1, p 7, LLC, dsap STP (0x42), ssap STP (0x42), cmd 0x03: 802.1d config 8001.00:0f:90:e9:12:c0.8002 root 8001.00:05:dc:c0:9c:00 pathcost 19 age 1 max 20 hello 2 fdelay 15 
    0x0000:  0180 c200 0000 000f 90e9 12c2 8100 e001  ................
    0x0010:  0026 4242 0300 0000 0000 8001 0005 dcc0  .&BB............
    0x0020:  9c00 0000 0013 8001 000f 90e9 12c0 8002  ................
    0x0030:  0100       

Anyone have any ideas?

1 Solution

Drainy
Champion

Ok, I've fixed it.
Instead I am just capturing smaller and readily identifiable chunks of data.
My biggest reason for not doing that before was that I needed to identify source and destination, but obviously after thinking it out I can just include the > in the regex to correctly list these.

View solution in original post

Drainy
Champion

Ok, I've fixed it.
Instead I am just capturing smaller and readily identifiable chunks of data.
My biggest reason for not doing that before was that I needed to identify source and destination, but obviously after thinking it out I can just include the > in the regex to correctly list these.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...