Splunk Search

Extraction using rex

rkris
Explorer

This is a dashboard panel that i've created by extracting virus information from a log file

Splunk_qns1.PNG

 

This is my search query

Splunk_qns2.PNG

 

I actually want to see only the virus names and the IP addresses. So, it should look like this:

Splunk_qns3.PNG

How would I change my regex to obtain this result?

Labels (3)
0 Karma

richgalloway
SplunkTrust
SplunkTrust
If you can share your sample data as text instead of a screen shot then we can test with it.
---
If this reply helps you, Karma would be appreciated.
0 Karma

rkris
Explorer

@richgalloway 

This is my sample data in text format:

Apr 23 14:13:35 [143.5.113.3] snort[1976]: [1:729:1]  Virus - Possible scr Worm <\Device\Packet_{D3446BC6-343C-4C0C-8A29-AC6161C9D0F3}> TCP 37.236.185.162:80  -> 10.10.50.218:100

 

Apr 23 14:13:35 [143.5.113.3] snort[1976]: [1:779:1]  Virus - Possible NewApt.Worm - gadget.exe <\Device\Packet_{D3446BC6-343C-4C0C-8A29-AC6161C9D0F3}> TCP 161.38.138.124:80  -> 10.10.50.85:100

 

Apr 23 14:13:35 [143.5.113.3] snort[1976]: [1:757:1]  Virus - Possible Y2K Zelu Trojan <\Device\Packet_{D3446BC6-343C-4C0C-8A29-AC6161C9D0F3}> TCP 187.226.150.129:80  -> 10.10.50.102:100

 

Apr 23 14:13:35 [143.5.113.3] snort: [1:767:1]  Virus - Possible NewApt.Worm - baby.exe [Classification: ] [Priority: ]: {PROTOCOL} 222.190.104.160:58287 -> 26.73.78.96:25

 

Apr 23 14:13:35 [143.5.113.3] snort[1976]: [1:727:1]  Virus - Possible MyRomeo Worm <\Device\Packet_{D3446BC6-343C-4C0C-8A29-AC6161C9D0F3}> TCP 149.170.61.35:80  -> 10.10.50.154:100

 

Apr 23 14:13:35 [143.5.113.3] snort[1976]: [1:800:1]  Virus - Possible Resume Worm <\Device\Packet_{D3446BC6-343C-4C0C-8A29-AC6161C9D0F3}> TCP 234.87.141.144:80  -> 10.10.50.17:100

 

Apr 23 14:13:35 [143.5.113.3] snort: [1:801:1]  Virus - Possible Worm - doc.vbs file [Classification: ] [Priority: ]: {PROTOCOL} 240.81.210.240:58287 -> 66.56.229.39:25

 

Apr 23 14:13:35 [143.5.113.3] snort: [1:757:1]  Virus - Possible Y2K Zelu Trojan [Classification: ] [Priority: ]: {PROTOCOL} 60.151.205.115:58287 -> 110.244.14.35:25

 

Apr 23 14:13:50 [143.5.113.3] snort: [1:2266:1] VIRUS OUTBOUND .doc file attachment [Classification: ] [Priority: ]: {PROTOCOL} 234.182.233.181:58287 -> 0.235.220.175:25

 

Apr 23 14:13:39 [143.5.113.3] snort[1976]: [1:1234:1]  WEB-MISC VirusWall FtpSaveCSP access <\Device\Packet_{D3446BC6-343C-4C0C-8A29-AC6161C9D0F3}> TCP 192.69.129.252:80  -> 10.10.50.30:100

 

Apr 23 14:13:35 [143.5.113.3] snort: [1:730:1]  Virus - Possible shs Worm [Classification: ] [Priority: ]: {PROTOCOL} 145.134.206.152:58287 -> 112.8.113.14:25

 

             Apr 23 14:13:35 [143.5.113.3] snort[1976]: [1:732:1]  Virus - Possible QAZ Worm Infection <\Device\Packet_{D3446BC6-343C-4C0C-8A29-AC6161C9D0F3}> TCP 36.75.150.0:80  -> 10.10.50.229:100

 

I only want to retrieve the virus names and IP addresses which are highlighted in red.

 

And this is my search query in text format:

source="General-linux-sql.log" sourcetype="Linux"
|rex field=_raw "Virus\s-\s(?<virus_name>.*)"
| table virus_name
| stats count by virus_name

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Thanks for the sample data.  This rex command isn't perfect, but should get you close to want you seek.

| rex "snort(?:\[[^\]]+])?: \[[^\]]+] (?<virus>[^\[\<]+).+(?:\{PROTOCOL}|TCP) (?<ip>.*)"
---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...