How do I use rex to extract the virus info so that I can display this info in my splunk dashboard?
Hi
getting the end of line after VIRUS - try the next
index=<YOUR INDEX HERE> source="General-linux-sql.log" sourcetype="Linux" Virus
| rex "\s+VIRUS\s+-\s+(?<virusDescription>.*)"
| table _time virusDescription
r. Ismo
I need to put the following line first as this is where i'll be retrieving my info from
So do i add your code after this line?
Yes add it to after those. You should always add at least
index=<your index> sourcetype=<your sourcetype> source=<your source> when you are looking events. And in this case add also word “Virus” as it would be on your each event.
That way your query is more powerful, quicker and use less resources.
I updated my previous example to contain these.
r. Ismo
Hi,
Do you want to get that "Virus" word in a separate field using rex command
or do you want to show the log details in the dashboard which has a virus word?
@impurush Hi. I just want to get "Possible NewApt.Worm - gadget.exe", "Possible Y2K Zelu Trojan", and "Possible NewApt.Worm - baby.exe"
Hi @rkris , use the below query to get all three "Possible NewApt.Worm - gadget.exe", "Possible Y2K Zelu Trojan", and "Possible NewApt.Worm - baby.exe" from the logs.
source="General-linux-sql.log" sourcetype="Linux" ("Possible NewApt.Worm - gadget.exe" OR "Possible Y2K Zelu Trojan" OR "Possible NewApt.Worm - baby.exe")
Is there a way for me to group them all into a table?
@rkris , you can try this
source="General-linux-sql.log" sourcetype="Linux" ("Possible NewApt.Worm - gadget.exe" OR "Possible Y2K Zelu Trojan" OR "Possible NewApt.Worm - baby.exe")
|rex field=_raw "Virus\s-\s(?<virus_name>.*)"
| table _time,virus_name