Splunk Search

Extracting using rex

rkris
Explorer

splunk_qns8_p1.PNG

splunk_qns8_p2.PNG

splunk_qns8_p3.PNG

How do I use rex to extract the virus info so that I can display this info in my splunk dashboard?

Labels (1)
0 Karma

isoutamo
SplunkTrust
SplunkTrust

Hi

getting the end of line after VIRUS - try the next

 

index=<YOUR INDEX HERE> source="General-linux-sql.log" sourcetype="Linux" Virus
| rex "\s+VIRUS\s+-\s+(?<virusDescription>.*)"
| table _time virusDescription

 

r. Ismo 

0 Karma

rkris
Explorer

@isoutamo 

I need to put the following line first as this is where i'll be retrieving my info from

splunk_qns9_p1.PNG

So do i add your code after this line?

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Yes add it to after those. You should always add at least

index=<your index> sourcetype=<your sourcetype> source=<your source> when you are looking events. And in this case add also word “Virus” as it would be on your each event. 
That way your query is more powerful, quicker and use less resources.

I updated my previous example to contain these.


r.  Ismo

0 Karma

impurush
Contributor

Hi,

Do you want to get that "Virus" word in a separate field using rex command
or do you want to show the log details in the dashboard which has a virus word?

0 Karma

rkris
Explorer

@impurush  Hi. I just want to get "Possible NewApt.Worm - gadget.exe",  "Possible Y2K Zelu Trojan", and "Possible NewApt.Worm - baby.exe"

0 Karma

impurush
Contributor

Hi @rkris , use the below query to get all three "Possible NewApt.Worm - gadget.exe",  "Possible Y2K Zelu Trojan", and "Possible NewApt.Worm - baby.exe" from the logs.

source="General-linux-sql.log" sourcetype="Linux" ("Possible NewApt.Worm - gadget.exe" OR "Possible Y2K Zelu Trojan" OR "Possible NewApt.Worm - baby.exe")

 

Tags (1)
0 Karma

rkris
Explorer

@impurush 

Is there a way for me to group them all into a table?

0 Karma

impurush
Contributor

@rkris , you can try this

source="General-linux-sql.log" sourcetype="Linux" ("Possible NewApt.Worm - gadget.exe" OR "Possible Y2K Zelu Trojan" OR "Possible NewApt.Worm - baby.exe")
|rex field=_raw "Virus\s-\s(?<virus_name>.*)"
| table _time,virus_name

 

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...

Edge Processor Scaling, Energy & Manufacturing Use Cases, and More New Articles on ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Get More Out of Your Security Practice With a SIEM

Get More Out of Your Security Practice With a SIEMWednesday, July 31, 2024  |  11AM PT / 2PM ETREGISTER ...