Splunk Search

Another regex issue

Engager

I'm trying to collate groups of Windows EventIDs into categories and use regex to filter a range of them. I cannot get this to work, either I get errors saying the regex cannot do anything or I get all EventIDs like the regex was completely ignored. Here's an example: EventIDs 4868-4900 are for MS Certificate Services, so I'd like to find all of them and create an eventtype for that. Here is my search string:

sourcetype=WinEventLog:Security host=* | rex field=EventCode "(486[8-9]|48[7-9][0-9]|4900)"

Please help... I'm new to regex and so far hate it 🙂

0 Karma
1 Solution

Contributor

Why using rex / regex at all? If EventCode is integer already, just use the rangemap command.

| makeresults | eval EventCode="12,4868,5000,4900" | makemv delim="," EventCode | mvexpand EventCode
 | rangemap field=EventCode lower_end=0-4867 "MS Cert"=4868-4900 upper_end=4901-99999 
| search range="MS Cert"

gives you back 4868 and 4900 from the test input.

View solution in original post

0 Karma

Contributor

Why using rex / regex at all? If EventCode is integer already, just use the rangemap command.

| makeresults | eval EventCode="12,4868,5000,4900" | makemv delim="," EventCode | mvexpand EventCode
 | rangemap field=EventCode lower_end=0-4867 "MS Cert"=4868-4900 upper_end=4901-99999 
| search range="MS Cert"

gives you back 4868 and 4900 from the test input.

View solution in original post

0 Karma

SplunkTrust
SplunkTrust

The rex needs the name of the field you are making. So try something like:

sourcetype=WinEventLog:Security host=* | rex field=EventCode "(?P<EventID>(486[8-9]|48[7-9][0-9]|4900))"

Engager

that is getting closer... at least I get data now... I'm just getting too many codes that don't fit between those numbers 4868-4900.

anything like:
1....538...540....56x,...57x..... 46xx......47xx......48xx.....49xxxx.... 50xx.....51xx.....61xx.....62xx.....82xx

tried many variations of something like:

sourcetype=WinEventLog:Security host=* | rex field=EventCode "(?P((48(6[8-9])|[7-9][0-9])|4900))"

if I dump: (48(6[8-9])|[7-9][0-9])|4900 into an online regex tester...it gives me the right range 4868-4900... I'm not sure where I'm causing splunk grief in the syntax 🙂

0 Karma

SplunkTrust
SplunkTrust

I think you're using the wrong command. The rex command extracts data from a field using regular expressions. To filter events using a regular expression, try the regex command.

sourcetype=WinEventLog:Security host=* | regex field=EventCode "(486[8-9]|48[7-9][0-9]|4900)"
---
If this reply helps you, an upvote would be appreciated.