Getting Data In

How to get data from F5 Bigip log

ahsaine
New Member

Hello,
I need your help please.
I have a log like

Spoiler
F5:WAF "2020-04-08 15:36:21","146632585856347577","",192.121.195.41,443,190.92.12.16,....

anD i want to extract data after the text "F5:WAF":
1st field: the date "2020-04-08 15:36:21"
2nd field: the source ip "192.121.195.41"
3th field: the port "443" ane the 4th the dest ip "190.92.12.16".

Thank you!

Labels (1)
0 Karma

ragedsparrow
Contributor

Does your data structure remain the same across messages?  If so, I would build the extraction like:

[sourcetype]
EXTRACT-Group = F5\:WAF\s\"(?<date>[^\"]+)\"\,(?:\"[^\"]+\"\,)(?:\"\"\,)(?<src_ip>[^\,]+)\,(?<dest_port>[^\,]+)\,(?<dest_ip>[^\,]+)\,

 

That being said, there may be something on splunkbase.splunk.com around the F5 WAF data that may be very useful as well.

0 Karma

ahsaine
New Member

Hi Ragedsparrow,

When i put this request, I get this message:

ahsaine_0-1591866267651.png

 

0 Karma

to4kawa
Ultra Champion

https://docs.splunk.com/Documentation/CIM/4.15.0/User/NetworkTraffic

sample:

| makeresults
| eval _raw="F5:WAF \"2020-04-08 15:36:21\",\"146632585856347577\",\"\",192.121.195.41,443,190.92.12.16,..."
| rex "F5:WAF\s*\"(?<date>[^,]+)\",[^,]+,[^,]+,(?<src_ip>[^,]+),(?<src_port>[^,]+),(?<dest_ip>[^,]+),"

recommend:

index=yours sourcetype=yours
| rex "F5:WAF\s*\"(?<date>[^,]+)\",[^,]+,[^,]+,(?<src_ip>[^,]+),(?<src_port>[^,]+),(?<dest_ip>[^,]+),"

If there is an add-on, you should use it.
I tried to match the name to CIM in case.

0 Karma
Get Updates on the Splunk Community!

Demo Day: Strengthen Your SOC with Splunk Enterprise Security 8.1

Today’s threat landscape is more complex than ever. Security operation centers (SOCs) are overwhelmed with ...

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...