Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Extracting using rex

rkris
Explorer
‎08-10-2020 01:37 PM

splunk_qns8_p1.PNG

splunk_qns8_p2.PNG

splunk_qns8_p3.PNG

How do I use rex to extract the virus info so that I can display this info in my splunk dashboard?

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎08-10-2020 01:49 PM

Hi

getting the end of line after VIRUS - try the next

 

index=<YOUR INDEX HERE> source="General-linux-sql.log" sourcetype="Linux" Virus
| rex "\s+VIRUS\s+-\s+(?<virusDescription>.*)"
| table _time virusDescription

 

r. Ismo 

0 Karma
Reply

rkris
Explorer
‎08-10-2020 03:36 PM

@isoutamo 

I need to put the following line first as this is where i'll be retrieving my info from

splunk_qns9_p1.PNG

So do i add your code after this line?

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎08-10-2020 10:10 PM

Yes add it to after those. You should always add at least

index=<your index> sourcetype=<your sourcetype> source=<your source> when you are looking events. And in this case add also word “Virus” as it would be on your each event. 
That way your query is more powerful, quicker and use less resources.

I updated my previous example to contain these.


r.  Ismo

0 Karma
Reply

impurush
Contributor
‎08-10-2020 01:44 PM

Hi,

Do you want to get that "Virus" word in a separate field using rex command
or do you want to show the log details in the dashboard which has a virus word?

0 Karma
Reply

rkris
Explorer
‎08-10-2020 03:27 PM

@impurush  Hi. I just want to get "Possible NewApt.Worm - gadget.exe",  "Possible Y2K Zelu Trojan", and "Possible NewApt.Worm - baby.exe"

0 Karma
Reply

impurush
Contributor
‎08-10-2020 05:10 PM

Hi @rkris , use the below query to get all three "Possible NewApt.Worm - gadget.exe",  "Possible Y2K Zelu Trojan", and "Possible NewApt.Worm - baby.exe" from the logs.

source="General-linux-sql.log" sourcetype="Linux" ("Possible NewApt.Worm - gadget.exe" OR "Possible Y2K Zelu Trojan" OR "Possible NewApt.Worm - baby.exe")

 

Tags (1)
0 Karma
Reply

rkris
Explorer
‎08-10-2020 07:36 PM

@impurush 

Is there a way for me to group them all into a table?

0 Karma
Reply

impurush
Contributor
‎08-10-2020 07:59 PM

@rkris , you can try this

source="General-linux-sql.log" sourcetype="Linux" ("Possible NewApt.Worm - gadget.exe" OR "Possible Y2K Zelu Trojan" OR "Possible NewApt.Worm - baby.exe")
|rex field=_raw "Virus\s-\s(?<virus_name>.*)"
| table _time,virus_name

 

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

Introduction to Splunk AI

How are you using AI in Splunk? Whether you see AI as a threat or opportunity, AI is here to stay. Lucky for ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Maximizing the Value of Splunk ES 8.x

Splunk Enterprise Security (ES) continues to be a leader in the Gartner Magic Quadrant, reflecting its pivotal ...