Splunk Search

Extraction using rex

rkris
Explorer

This is a dashboard panel that i've created by extracting virus information from a log file

Splunk_qns1.PNG

 

This is my search query

Splunk_qns2.PNG

 

I actually want to see only the virus names and the IP addresses. So, it should look like this:

Splunk_qns3.PNG

How would I change my regex to obtain this result?

Labels (2)
0 Karma

richgalloway
SplunkTrust
SplunkTrust
If you can share your sample data as text instead of a screen shot then we can test with it.
---
If this reply helps you, Karma would be appreciated.
0 Karma

rkris
Explorer

@richgalloway 

This is my sample data in text format:

Apr 23 14:13:35 [143.5.113.3] snort[1976]: [1:729:1]  Virus - Possible scr Worm <\Device\Packet_{D3446BC6-343C-4C0C-8A29-AC6161C9D0F3}> TCP 37.236.185.162:80  -> 10.10.50.218:100

 

Apr 23 14:13:35 [143.5.113.3] snort[1976]: [1:779:1]  Virus - Possible NewApt.Worm - gadget.exe <\Device\Packet_{D3446BC6-343C-4C0C-8A29-AC6161C9D0F3}> TCP 161.38.138.124:80  -> 10.10.50.85:100

 

Apr 23 14:13:35 [143.5.113.3] snort[1976]: [1:757:1]  Virus - Possible Y2K Zelu Trojan <\Device\Packet_{D3446BC6-343C-4C0C-8A29-AC6161C9D0F3}> TCP 187.226.150.129:80  -> 10.10.50.102:100

 

Apr 23 14:13:35 [143.5.113.3] snort: [1:767:1]  Virus - Possible NewApt.Worm - baby.exe [Classification: ] [Priority: ]: {PROTOCOL} 222.190.104.160:58287 -> 26.73.78.96:25

 

Apr 23 14:13:35 [143.5.113.3] snort[1976]: [1:727:1]  Virus - Possible MyRomeo Worm <\Device\Packet_{D3446BC6-343C-4C0C-8A29-AC6161C9D0F3}> TCP 149.170.61.35:80  -> 10.10.50.154:100

 

Apr 23 14:13:35 [143.5.113.3] snort[1976]: [1:800:1]  Virus - Possible Resume Worm <\Device\Packet_{D3446BC6-343C-4C0C-8A29-AC6161C9D0F3}> TCP 234.87.141.144:80  -> 10.10.50.17:100

 

Apr 23 14:13:35 [143.5.113.3] snort: [1:801:1]  Virus - Possible Worm - doc.vbs file [Classification: ] [Priority: ]: {PROTOCOL} 240.81.210.240:58287 -> 66.56.229.39:25

 

Apr 23 14:13:35 [143.5.113.3] snort: [1:757:1]  Virus - Possible Y2K Zelu Trojan [Classification: ] [Priority: ]: {PROTOCOL} 60.151.205.115:58287 -> 110.244.14.35:25

 

Apr 23 14:13:50 [143.5.113.3] snort: [1:2266:1] VIRUS OUTBOUND .doc file attachment [Classification: ] [Priority: ]: {PROTOCOL} 234.182.233.181:58287 -> 0.235.220.175:25

 

Apr 23 14:13:39 [143.5.113.3] snort[1976]: [1:1234:1]  WEB-MISC VirusWall FtpSaveCSP access <\Device\Packet_{D3446BC6-343C-4C0C-8A29-AC6161C9D0F3}> TCP 192.69.129.252:80  -> 10.10.50.30:100

 

Apr 23 14:13:35 [143.5.113.3] snort: [1:730:1]  Virus - Possible shs Worm [Classification: ] [Priority: ]: {PROTOCOL} 145.134.206.152:58287 -> 112.8.113.14:25

 

             Apr 23 14:13:35 [143.5.113.3] snort[1976]: [1:732:1]  Virus - Possible QAZ Worm Infection <\Device\Packet_{D3446BC6-343C-4C0C-8A29-AC6161C9D0F3}> TCP 36.75.150.0:80  -> 10.10.50.229:100

 

I only want to retrieve the virus names and IP addresses which are highlighted in red.

 

And this is my search query in text format:

source="General-linux-sql.log" sourcetype="Linux"
|rex field=_raw "Virus\s-\s(?<virus_name>.*)"
| table virus_name
| stats count by virus_name

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Thanks for the sample data.  This rex command isn't perfect, but should get you close to want you seek.

| rex "snort(?:\[[^\]]+])?: \[[^\]]+] (?<virus>[^\[\<]+).+(?:\{PROTOCOL}|TCP) (?<ip>.*)"
---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Why You Can't Miss .conf25: Unleashing the Power of Agentic AI with Splunk & Cisco

The Defining Technology Movement of Our Lifetime The advent of agentic AI is arguably the defining technology ...

Deep Dive into Federated Analytics: Unlocking the Full Power of Your Security Data

In today’s complex digital landscape, security teams face increasing pressure to protect sprawling data across ...

Your summer travels continue with new course releases

Summer in the Northern hemisphere is in full swing, and is often a time to travel and explore. If your summer ...