I'm trying to collate groups of Windows EventIDs into categories and use regex to filter a range of them. I cannot get this to work, either I get errors saying the regex cannot do anything or I get all EventIDs like the regex was completely ignored. Here's an example: EventIDs 4868-4900 are for MS Certificate Services, so I'd like to find all of them and create an eventtype for that. Here is my search string:
sourcetype=WinEventLog:Security host=* | rex field=EventCode "(486[8-9]|48[7-9][0-9]|4900)"
Please help... I'm new to regex and so far hate it 🙂
Why using rex / regex at all? If EventCode is integer already, just use the rangemap command.
| makeresults | eval EventCode="12,4868,5000,4900" | makemv delim="," EventCode | mvexpand EventCode
| rangemap field=EventCode lower_end=0-4867 "MS Cert"=4868-4900 upper_end=4901-99999
| search range="MS Cert"
gives you back 4868 and 4900 from the test input.
Why using rex / regex at all? If EventCode is integer already, just use the rangemap command.
| makeresults | eval EventCode="12,4868,5000,4900" | makemv delim="," EventCode | mvexpand EventCode
| rangemap field=EventCode lower_end=0-4867 "MS Cert"=4868-4900 upper_end=4901-99999
| search range="MS Cert"
gives you back 4868 and 4900 from the test input.
The rex needs the name of the field you are making. So try something like:
sourcetype=WinEventLog:Security host=* | rex field=EventCode "(?P<EventID>(486[8-9]|48[7-9][0-9]|4900))"
that is getting closer... at least I get data now... I'm just getting too many codes that don't fit between those numbers 4868-4900.
anything like:
1....538...540....56x,...57x..... 46xx......47xx......48xx.....49xxxx.... 50xx.....51xx.....61xx.....62xx.....82xx
tried many variations of something like:
sourcetype=WinEventLog:Security host=* | rex field=EventCode "(?P((48(6[8-9])|[7-9][0-9])|4900))"
if I dump: (48(6[8-9])|[7-9][0-9])|4900 into an online regex tester...it gives me the right range 4868-4900... I'm not sure where I'm causing splunk grief in the syntax 🙂
I think you're using the wrong command. The rex
command extracts data from a field using regular expressions. To filter events using a regular expression, try the regex
command.
sourcetype=WinEventLog:Security host=* | regex field=EventCode "(486[8-9]|48[7-9][0-9]|4900)"