Splunk Search

Another regex issue

ldgrube
Engager

I'm trying to collate groups of Windows EventIDs into categories and use regex to filter a range of them. I cannot get this to work, either I get errors saying the regex cannot do anything or I get all EventIDs like the regex was completely ignored. Here's an example: EventIDs 4868-4900 are for MS Certificate Services, so I'd like to find all of them and create an eventtype for that. Here is my search string:

sourcetype=WinEventLog:Security host=* | rex field=EventCode "(486[8-9]|48[7-9][0-9]|4900)"

Please help... I'm new to regex and so far hate it 🙂

0 Karma
1 Solution

knielsen
Contributor

Why using rex / regex at all? If EventCode is integer already, just use the rangemap command.

| makeresults | eval EventCode="12,4868,5000,4900" | makemv delim="," EventCode | mvexpand EventCode
 | rangemap field=EventCode lower_end=0-4867 "MS Cert"=4868-4900 upper_end=4901-99999 
| search range="MS Cert"

gives you back 4868 and 4900 from the test input.

View solution in original post

0 Karma

knielsen
Contributor

Why using rex / regex at all? If EventCode is integer already, just use the rangemap command.

| makeresults | eval EventCode="12,4868,5000,4900" | makemv delim="," EventCode | mvexpand EventCode
 | rangemap field=EventCode lower_end=0-4867 "MS Cert"=4868-4900 upper_end=4901-99999 
| search range="MS Cert"

gives you back 4868 and 4900 from the test input.

0 Karma

cpetterborg
SplunkTrust
SplunkTrust

The rex needs the name of the field you are making. So try something like:

sourcetype=WinEventLog:Security host=* | rex field=EventCode "(?P<EventID>(486[8-9]|48[7-9][0-9]|4900))"

ldgrube
Engager

that is getting closer... at least I get data now... I'm just getting too many codes that don't fit between those numbers 4868-4900.

anything like:
1....538...540....56x,...57x..... 46xx......47xx......48xx.....49xxxx.... 50xx.....51xx.....61xx.....62xx.....82xx

tried many variations of something like:

sourcetype=WinEventLog:Security host=* | rex field=EventCode "(?P((48(6[8-9])|[7-9][0-9])|4900))"

if I dump: (48(6[8-9])|[7-9][0-9])|4900 into an online regex tester...it gives me the right range 4868-4900... I'm not sure where I'm causing splunk grief in the syntax 🙂

0 Karma

richgalloway
SplunkTrust
SplunkTrust

I think you're using the wrong command. The rex command extracts data from a field using regular expressions. To filter events using a regular expression, try the regex command.

sourcetype=WinEventLog:Security host=* | regex field=EventCode "(486[8-9]|48[7-9][0-9]|4900)"
---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...