Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Extracting using rex

rkris
Explorer
‎08-10-2020 01:37 PM

splunk_qns8_p1.PNG

splunk_qns8_p2.PNG

splunk_qns8_p3.PNG

How do I use rex to extract the virus info so that I can display this info in my splunk dashboard?

Labels (1)
Labels
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎08-10-2020 01:49 PM

Hi

getting the end of line after VIRUS - try the next

 

index=<YOUR INDEX HERE> source="General-linux-sql.log" sourcetype="Linux" Virus
| rex "\s+VIRUS\s+-\s+(?<virusDescription>.*)"
| table _time virusDescription

 

r. Ismo 

0 Karma
Reply

rkris
Explorer
‎08-10-2020 03:36 PM

@isoutamo 

I need to put the following line first as this is where i'll be retrieving my info from

splunk_qns9_p1.PNG

So do i add your code after this line?

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎08-10-2020 10:10 PM

Yes add it to after those. You should always add at least

index=<your index> sourcetype=<your sourcetype> source=<your source> when you are looking events. And in this case add also word “Virus” as it would be on your each event. 
That way your query is more powerful, quicker and use less resources.

I updated my previous example to contain these.


r.  Ismo

0 Karma
Reply

impurush
Contributor
‎08-10-2020 01:44 PM

Hi,

Do you want to get that "Virus" word in a separate field using rex command
or do you want to show the log details in the dashboard which has a virus word?

0 Karma
Reply

rkris
Explorer
‎08-10-2020 03:27 PM

@impurush  Hi. I just want to get "Possible NewApt.Worm - gadget.exe",  "Possible Y2K Zelu Trojan", and "Possible NewApt.Worm - baby.exe"

0 Karma
Reply

impurush
Contributor
‎08-10-2020 05:10 PM

Hi @rkris , use the below query to get all three "Possible NewApt.Worm - gadget.exe",  "Possible Y2K Zelu Trojan", and "Possible NewApt.Worm - baby.exe" from the logs.

source="General-linux-sql.log" sourcetype="Linux" ("Possible NewApt.Worm - gadget.exe" OR "Possible Y2K Zelu Trojan" OR "Possible NewApt.Worm - baby.exe")

 

Tags (1)
0 Karma
Reply

rkris
Explorer
‎08-10-2020 07:36 PM

@impurush 

Is there a way for me to group them all into a table?

0 Karma
Reply

impurush
Contributor
‎08-10-2020 07:59 PM

@rkris , you can try this

source="General-linux-sql.log" sourcetype="Linux" ("Possible NewApt.Worm - gadget.exe" OR "Possible Y2K Zelu Trojan" OR "Possible NewApt.Worm - baby.exe")
|rex field=_raw "Virus\s-\s(?<virus_name>.*)"
| table _time,virus_name

 

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Platform | Upgrading your Splunk Deployment to Python 3.9

Splunk initially announced the removal of Python 2 during the release of Splunk Enterprise 8.0.0, aiming to ...

From Product Design to User Insights: Boosting App Developer Identity on Splunkbase

co-authored by Yiyun Zhu & Dan Hosaka Engaging with the Community at .conf24 At .conf24, we revitalized the ...

Detect and Resolve Issues in a Kubernetes Environment

We’ve gone through common problems one can encounter in a Kubernetes environment, their impacts, and the ...