Splunk Enterprise Security

Help needed capturing a regex and then grouping on it

mikeclemson
New Member

I have unstructured data that can vary, and I want to find results that match exactly 32 lowercase a-z characters, and then group based on that match. My field name is cs6, which includes an entire HTTP request. I see that my regex is quite simple, regex cs6="[a-z]{32}". How do I further extract this value and group on the occurrences to find out which of these is most common? These represent Chrome extension IDs.

The examples that I found seemed to require me to have a consistent prefix, which I won't have.

0 Karma
1 Solution

diogofgm
SplunkTrust
SplunkTrust

instead of |regex cs6="[a-z]{32}" use this: |rex field=cs6 "(?<extension_id>[a-z]{32})" | stats count by extension_id

------------
Hope I was able to help you. If so, some karma would be appreciated.

View solution in original post

diogofgm
SplunkTrust
SplunkTrust

instead of |regex cs6="[a-z]{32}" use this: |rex field=cs6 "(?<extension_id>[a-z]{32})" | stats count by extension_id

------------
Hope I was able to help you. If so, some karma would be appreciated.

View solution in original post

mikeclemson
New Member

Thanks! I misunderstood the examples as thinking I needed the name, in your example extension_id, to exist in my actual data. I realize now I just make up whatever I want, making sure the entire thing is inside a capture group with parentheses.

0 Karma

diogofgm
SplunkTrust
SplunkTrust

yes 😉 I recommend checking regex101.com to test your regex patterns and learn more.

------------
Hope I was able to help you. If so, some karma would be appreciated.
0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!