Hello,
I need your help please.
I have a log like
anD i want to extract data after the text "F5:WAF":
1st field: the date "2020-04-08 15:36:21"
2nd field: the source ip "192.121.195.41"
3th field: the port "443" ane the 4th the dest ip "190.92.12.16".
Thank you!
Does your data structure remain the same across messages? If so, I would build the extraction like:
[sourcetype] EXTRACT-Group = F5\:WAF\s\"(?<date>[^\"]+)\"\,(?:\"[^\"]+\"\,)(?:\"\"\,)(?<src_ip>[^\,]+)\,(?<dest_port>[^\,]+)\,(?<dest_ip>[^\,]+)\,
That being said, there may be something on splunkbase.splunk.com around the F5 WAF data that may be very useful as well.
Hi Ragedsparrow,
When i put this request, I get this message:
https://docs.splunk.com/Documentation/CIM/4.15.0/User/NetworkTraffic
sample:
| makeresults
| eval _raw="F5:WAF \"2020-04-08 15:36:21\",\"146632585856347577\",\"\",192.121.195.41,443,190.92.12.16,..."
| rex "F5:WAF\s*\"(?<date>[^,]+)\",[^,]+,[^,]+,(?<src_ip>[^,]+),(?<src_port>[^,]+),(?<dest_ip>[^,]+),"
recommend:
index=yours sourcetype=yours
| rex "F5:WAF\s*\"(?<date>[^,]+)\",[^,]+,[^,]+,(?<src_ip>[^,]+),(?<src_port>[^,]+),(?<dest_ip>[^,]+),"
If there is an add-on, you should use it.
I tried to match the name to CIM in case.