Splunk Search

Extraction using rex

rkris
Explorer

This is a dashboard panel that i've created by extracting virus information from a log file

Splunk_qns1.PNG

 

This is my search query

Splunk_qns2.PNG

 

I actually want to see only the virus names and the IP addresses. So, it should look like this:

Splunk_qns3.PNG

How would I change my regex to obtain this result?

Labels (3)
0 Karma

richgalloway
SplunkTrust
SplunkTrust
If you can share your sample data as text instead of a screen shot then we can test with it.
---
If this reply helps you, Karma would be appreciated.
0 Karma

rkris
Explorer

@richgalloway 

This is my sample data in text format:

Apr 23 14:13:35 [143.5.113.3] snort[1976]: [1:729:1]  Virus - Possible scr Worm <\Device\Packet_{D3446BC6-343C-4C0C-8A29-AC6161C9D0F3}> TCP 37.236.185.162:80  -> 10.10.50.218:100

 

Apr 23 14:13:35 [143.5.113.3] snort[1976]: [1:779:1]  Virus - Possible NewApt.Worm - gadget.exe <\Device\Packet_{D3446BC6-343C-4C0C-8A29-AC6161C9D0F3}> TCP 161.38.138.124:80  -> 10.10.50.85:100

 

Apr 23 14:13:35 [143.5.113.3] snort[1976]: [1:757:1]  Virus - Possible Y2K Zelu Trojan <\Device\Packet_{D3446BC6-343C-4C0C-8A29-AC6161C9D0F3}> TCP 187.226.150.129:80  -> 10.10.50.102:100

 

Apr 23 14:13:35 [143.5.113.3] snort: [1:767:1]  Virus - Possible NewApt.Worm - baby.exe [Classification: ] [Priority: ]: {PROTOCOL} 222.190.104.160:58287 -> 26.73.78.96:25

 

Apr 23 14:13:35 [143.5.113.3] snort[1976]: [1:727:1]  Virus - Possible MyRomeo Worm <\Device\Packet_{D3446BC6-343C-4C0C-8A29-AC6161C9D0F3}> TCP 149.170.61.35:80  -> 10.10.50.154:100

 

Apr 23 14:13:35 [143.5.113.3] snort[1976]: [1:800:1]  Virus - Possible Resume Worm <\Device\Packet_{D3446BC6-343C-4C0C-8A29-AC6161C9D0F3}> TCP 234.87.141.144:80  -> 10.10.50.17:100

 

Apr 23 14:13:35 [143.5.113.3] snort: [1:801:1]  Virus - Possible Worm - doc.vbs file [Classification: ] [Priority: ]: {PROTOCOL} 240.81.210.240:58287 -> 66.56.229.39:25

 

Apr 23 14:13:35 [143.5.113.3] snort: [1:757:1]  Virus - Possible Y2K Zelu Trojan [Classification: ] [Priority: ]: {PROTOCOL} 60.151.205.115:58287 -> 110.244.14.35:25

 

Apr 23 14:13:50 [143.5.113.3] snort: [1:2266:1] VIRUS OUTBOUND .doc file attachment [Classification: ] [Priority: ]: {PROTOCOL} 234.182.233.181:58287 -> 0.235.220.175:25

 

Apr 23 14:13:39 [143.5.113.3] snort[1976]: [1:1234:1]  WEB-MISC VirusWall FtpSaveCSP access <\Device\Packet_{D3446BC6-343C-4C0C-8A29-AC6161C9D0F3}> TCP 192.69.129.252:80  -> 10.10.50.30:100

 

Apr 23 14:13:35 [143.5.113.3] snort: [1:730:1]  Virus - Possible shs Worm [Classification: ] [Priority: ]: {PROTOCOL} 145.134.206.152:58287 -> 112.8.113.14:25

 

             Apr 23 14:13:35 [143.5.113.3] snort[1976]: [1:732:1]  Virus - Possible QAZ Worm Infection <\Device\Packet_{D3446BC6-343C-4C0C-8A29-AC6161C9D0F3}> TCP 36.75.150.0:80  -> 10.10.50.229:100

 

I only want to retrieve the virus names and IP addresses which are highlighted in red.

 

And this is my search query in text format:

source="General-linux-sql.log" sourcetype="Linux"
|rex field=_raw "Virus\s-\s(?<virus_name>.*)"
| table virus_name
| stats count by virus_name

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Thanks for the sample data.  This rex command isn't perfect, but should get you close to want you seek.

| rex "snort(?:\[[^\]]+])?: \[[^\]]+] (?<virus>[^\[\<]+).+(?:\{PROTOCOL}|TCP) (?<ip>.*)"
---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...

Edge Processor Scaling, Energy & Manufacturing Use Cases, and More New Articles on ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Get More Out of Your Security Practice With a SIEM

Get More Out of Your Security Practice With a SIEMWednesday, July 31, 2024  |  11AM PT / 2PM ETREGISTER ...