Splunk Search

Extracting using rex

rkris
Explorer

splunk_qns8_p1.PNG

splunk_qns8_p2.PNG

splunk_qns8_p3.PNG

How do I use rex to extract the virus info so that I can display this info in my splunk dashboard?

Labels (1)
0 Karma

isoutamo
SplunkTrust
SplunkTrust

Hi

getting the end of line after VIRUS - try the next

 

index=<YOUR INDEX HERE> source="General-linux-sql.log" sourcetype="Linux" Virus
| rex "\s+VIRUS\s+-\s+(?<virusDescription>.*)"
| table _time virusDescription

 

r. Ismo 

0 Karma

rkris
Explorer

@isoutamo 

I need to put the following line first as this is where i'll be retrieving my info from

splunk_qns9_p1.PNG

So do i add your code after this line?

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Yes add it to after those. You should always add at least

index=<your index> sourcetype=<your sourcetype> source=<your source> when you are looking events. And in this case add also word “Virus” as it would be on your each event. 
That way your query is more powerful, quicker and use less resources.

I updated my previous example to contain these.


r.  Ismo

0 Karma

impurush
Contributor

Hi,

Do you want to get that "Virus" word in a separate field using rex command
or do you want to show the log details in the dashboard which has a virus word?

0 Karma

rkris
Explorer

@impurush  Hi. I just want to get "Possible NewApt.Worm - gadget.exe",  "Possible Y2K Zelu Trojan", and "Possible NewApt.Worm - baby.exe"

0 Karma

impurush
Contributor

Hi @rkris , use the below query to get all three "Possible NewApt.Worm - gadget.exe",  "Possible Y2K Zelu Trojan", and "Possible NewApt.Worm - baby.exe" from the logs.

source="General-linux-sql.log" sourcetype="Linux" ("Possible NewApt.Worm - gadget.exe" OR "Possible Y2K Zelu Trojan" OR "Possible NewApt.Worm - baby.exe")

 

Tags (1)
0 Karma

rkris
Explorer

@impurush 

Is there a way for me to group them all into a table?

0 Karma

impurush
Contributor

@rkris , you can try this

source="General-linux-sql.log" sourcetype="Linux" ("Possible NewApt.Worm - gadget.exe" OR "Possible Y2K Zelu Trojan" OR "Possible NewApt.Worm - baby.exe")
|rex field=_raw "Virus\s-\s(?<virus_name>.*)"
| table _time,virus_name

 

0 Karma
Get Updates on the Splunk Community!

2024 Splunk Career Impact Survey | Earn a $20 gift card for participating!

Hear ye, hear ye! The time has come again for Splunk's annual Career Impact Survey!  We need your help by ...

Optimize Cloud Monitoring

  TECH TALKS Optimize Cloud Monitoring Tuesday, August 13, 2024  |  11:00AM–12:00PM PST   Register to ...

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...