Can anyone let me know why I am getting this error?
| rex field=url "(?\w+\.\w+)\/"
[| inputlookup IOCs-URLs.csv
| stats values(UrL) as url
| format]
| stats count as NumOTimes by src_ip,url
These are mostly because of search order. let me give an example.
If you run this one you will get exact same error message "Error in 'rex' command: Invalid argument: 'NOT'"
index=foo OR
index=bar | spath output=message path=message | rex field=message "dst=(?<remote_ip>\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3})"
[| makeresults | eval remote_ip=""
| eval remote_ip=split(remote_ip,",")
| mvexpand remote_ip
| table remote_ip]
| stats dc(remote_ip) as total
However, if you run the following, no error at all, hope this helps. so problem is not on rex, it is highly likely due to the search logic.
index=foo OR
index=bar | spath output=message path=message | rex field=message "dst=(?<remote_ip>\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3})"
| search [| makeresults | eval remote_ip=""
| eval remote_ip=split(remote_ip,",")
| mvexpand remote_ip
| table remote_ip]
| stats dc(remote_ip) as total
The \/
sequence in rex
commands requires additional escaping. Try `\\/'.
BTW, if you put your SPL inside backticks (`) or highlight it and click the "101010" button special characters will be preserved and we'll be able to see the full query.
didn't work, still same error - Error in 'rex' command: Invalid argument: 'NOT'
here is my current SPL
index=xxxx*
| rex field=url "(?<domain>\w+\.\w+)\\/"
[| inputlookup IOCs-URLs.csv
| stats values(UrL) as url
| format]
| stats count as NumOTimes by src_ip,url
The general rule of thumb for escape characters in rex
is to add more until the command works.
My answer had three backslashes, but your comment only has two. Perhaps that's just a copy error.
I totally missed another problem that could be causing the error. The inputlookup
subsearch looks like it's mis-placed. Recall that subsearches execute first and the results are substituted into the main search. So, after your subsearch the main search will look something like index=xxxx* | rex field=url "(?<domain>\w+\.\w+)\\\/" fourtion.com/qyBf2DfGd | stats count as NumOfTime by src_ip,url
. See how Splunk would think you have an invalid rex
command?
Before we spend too much time debugging the subsearch, please explain what you are trying to do with it. There may be another way to achieve your goal.
I have tried it with three backslashes as well. No luck!
Here is my scenario, I have had a list of IOCs that I would like to search with our datasets (indexes) to find if any Users tried to reach to those IOCs. as the list of IOCs kept increasing we have created a lookup table with a list of '80+ urls' (without using 'http://') example: fourtion.com/qyBf2DfGd
As I have created the lookup table, now would like to see if any user has accessed these IOCs listed in inputlookup table in Enterprise Security using SLP. let me know if you more information.
Try this
# This will find any events containing a string from the IOCs-URLs.csv lookup table
index=xxxx* [ | inputlookup IOCs-URLs.csv | return 100 $url ]
| stats count as NumOfTime by src_ip, url
Any sample data for url field?
here is the sample data from the table IOCs-URLs.csv -
- 'I would suggest not to go to the click or go to this IOC'.
fourtion.com/qyBf2DfGd
The error is not with rex command , it is because you are usinfg [|inputlookup immediately after rex. Try like this
index=xxxx*
| rex field=url "(?<domain>\w+\.\w+)\\/" | fields domain url
[| inputlookup IOCs-URLs.csv
| stats values(UrL) as url
| format]
| stats count as NumOTimes by src_ip,url
This SPL didn't give me any error but somehow giving me all events matched but not displaying any results on the Statistics.
Below is the status from Splunk search :
1,550,000 of 1,550,000 events matched
but - Statistics (0)