Splunk Enterprise
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Help with ReGex for certain data

syazwani
Path Finder
‎08-23-2022 08:26 PM

Hi peeps,

Need help in extracting some fields;

Sample logs:

Aug 24 09:30:43 101.11.10.01 CEF:0|KasperskyLab|SecurityCenter|13.2.0.1511|GNRL_EV_ATTACK_DETECTED|Network attack detected|4|msg=User: NT AUTHORITY\\SYSTEM (System user)\r\nComponent: Network Threat Protection\r\nResult description: Blocked\r\nName: Scan.Generic.PortScan.TCP\r\nObject: TCP from 101.11.10.01 at 101.11.10.01:25\r\nObject type: Network packet\r\nObject name: TCP from 101.11.10.01 at 101.11.10.01\r\nAdditional: 101.11.10.01\r\nDatabase release date: 23/8/2022 12:26:00 PM rt=1661304218000 cs9=Workstation cs9Label=GroupName dhost=082HALIM141 dst=101.11.10.01 cs2=KES cs2Label=ProductName cs3=11.0.0.0 cs3Label=ProductVersion cs10=Network Threat Protection cs10Label=TaskName cs1=Scan.Generic.PortScan.TCP cs1Label=AttackName cs6=TCP cs6Label=AttackedProtocol cs4=2887053442 cs4Label=AttackerIPv4 cs7=25 cs7Label=AttackedPort cs8=2887125841 cs8Label=AttackedIP

 

Aug 24 09:30:43 101.11.10.01 CEF:0|KasperskyLab|SecurityCenter|13.2.0.1511|GNRL_EV_ATTACK_DETECTED|Network attack detected|4|msg=User: NT AUTHORITY\\SYSTEM (System user)\r\nComponent: Network Threat Protection\r\nResult description: Blocked\r\nName: Scan.Generic.PortScan.TCP\r\nObject: TCP from 101.11.10.01 at 101.11.10.01:42666\r\nObject type: Network packet\r\nObject name: TCP from 101.11.10.01 at 101.11.10.01:42666\r\nAdditional: 101.11.10.01\r\nDatabase release date: 23/8/2022 12:26:00 PM rt=1661304218000 cs9=Workstation cs9Label=GroupName dhost=082HALIM141 dst=101.11.10.01 cs2=KES cs2Label=ProductName cs3=11.0.0.0 cs3Label=ProductVersion cs10=Network Threat Protection cs10Label=TaskName cs1=Scan.Generic.PortScan.TCP cs1Label=AttackName cs6=TCP cs6Label=AttackedProtocol cs4=2887053442 cs4Label=AttackerIPv4 cs7=42666 cs7Label=AttackedPort cs8=2887125841 cs8Label=AttackedIP

 

I need help to extract the underline value for fields name TCP.

Sample: 

TCP=101.11.10.01

Please help. Thanks.

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎08-23-2022 09:10 PM

You have two values (same) in the data. So, you can do this to extract and filter out the duplicates

| rex max_match=0  "TCP from (?<TCP>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"
| eval TCP=mvdedup(TCP)

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎08-23-2022 09:10 PM

You have two values (same) in the data. So, you can do this to extract and filter out the duplicates

| rex max_match=0  "TCP from (?<TCP>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"
| eval TCP=mvdedup(TCP)
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...