Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Extracting using rex

rkris
Explorer
‎08-10-2020 01:37 PM

splunk_qns8_p1.PNG

splunk_qns8_p2.PNG

splunk_qns8_p3.PNG

How do I use rex to extract the virus info so that I can display this info in my splunk dashboard?

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎08-10-2020 01:49 PM

Hi

getting the end of line after VIRUS - try the next

 

index=<YOUR INDEX HERE> source="General-linux-sql.log" sourcetype="Linux" Virus
| rex "\s+VIRUS\s+-\s+(?<virusDescription>.*)"
| table _time virusDescription

 

r. Ismo 

0 Karma
Reply

rkris
Explorer
‎08-10-2020 03:36 PM

@isoutamo 

I need to put the following line first as this is where i'll be retrieving my info from

splunk_qns9_p1.PNG

So do i add your code after this line?

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎08-10-2020 10:10 PM

Yes add it to after those. You should always add at least

index=<your index> sourcetype=<your sourcetype> source=<your source> when you are looking events. And in this case add also word “Virus” as it would be on your each event. 
That way your query is more powerful, quicker and use less resources.

I updated my previous example to contain these.


r.  Ismo

0 Karma
Reply

impurush
Contributor
‎08-10-2020 01:44 PM

Hi,

Do you want to get that "Virus" word in a separate field using rex command
or do you want to show the log details in the dashboard which has a virus word?

0 Karma
Reply

rkris
Explorer
‎08-10-2020 03:27 PM

@impurush  Hi. I just want to get "Possible NewApt.Worm - gadget.exe",  "Possible Y2K Zelu Trojan", and "Possible NewApt.Worm - baby.exe"

0 Karma
Reply

impurush
Contributor
‎08-10-2020 05:10 PM

Hi @rkris , use the below query to get all three "Possible NewApt.Worm - gadget.exe",  "Possible Y2K Zelu Trojan", and "Possible NewApt.Worm - baby.exe" from the logs.

source="General-linux-sql.log" sourcetype="Linux" ("Possible NewApt.Worm - gadget.exe" OR "Possible Y2K Zelu Trojan" OR "Possible NewApt.Worm - baby.exe")

 

Tags (1)
0 Karma
Reply

rkris
Explorer
‎08-10-2020 07:36 PM

@impurush 

Is there a way for me to group them all into a table?

0 Karma
Reply

impurush
Contributor
‎08-10-2020 07:59 PM

@rkris , you can try this

source="General-linux-sql.log" sourcetype="Linux" ("Possible NewApt.Worm - gadget.exe" OR "Possible Y2K Zelu Trojan" OR "Possible NewApt.Worm - baby.exe")
|rex field=_raw "Virus\s-\s(?<virus_name>.*)"
| table _time,virus_name

 

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Observability Simplified: Combining User Experience, Application Performance & ...

Tech Talk Observability Simplified: Combining User Experience, Application Performance & Network ...

Event Series May & June: From Network Visibility to Service Intelligence

Unifying the Network: Moving from Alert Noise to Service Intelligence with Splunk ITSI In today’s hybrid ...

Global Splunk User Group Events: May + June 2026

Your Splunk Community Awaits: Discover Upcoming User Group Events Worldwide    Staying ahead in the fast-paced ...