Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Field Extraction : regex works fine with search using "rex" command but not with Field extraction

Flo-Paris
Explorer
‎04-21-2021 06:03 AM

Hello,

I'm trying to analyze WatchGuard firewall logs received by Splunk using syslog on udp 514 port.

I was able to find a well working regex to use in a search using the following rex command in order to extract needed fields :

*
| rex field=_raw ".*\s(?<HOSTNAME>\S+)\s(?<PROCESS>\S+):\s.*\s(?<DISPOSITION>(Allow|Deny))\s(?<SRC_INT>\S+)\s(?<DST_INT>\S+)\s.*(?<PR>(icmp|igmp|tcp|udp)).*\s(?<SRC_IP>[[octet]](?:\.[[octet]]){3})\s(?<DST_IP>[[octet]](?:\.[[octet]]){3})\s(?<SRC_PORT>\d{1,5})\s(?<DST_PORT>\d{1,5})\s.*\((?P<RULE_NAME>.*)?(-00)\)$"
| table HOSTNAME,PROCESS,DISPOSITION,SRC_INT,DST_INT,PR,SRC_IP,DST_IP,SRC_PORT,DST_PORT,RULE_NAME

 

Result is a table as we can see in attachment.

Now, in order to optimize all of that, i would like to be able to extract all these fields automatically without having the need to use a rex command in each search i run...

i tryed using the Splunk Field extraction wizard, both using the automatic regex generator and by copy paste my search regex, but no success...

i suppose i missed something somewhere ?

thanks for your help

Florent

 

Labels (2)
Labels
Preview file
66 KB
0 Karma
Reply

Flo-Paris
Explorer
‎04-21-2021 06:17 AM

Here are my existing Field Extractions in the Splunk Settings / Fields / Field Extractions menu

Preview file
170 KB
0 Karma
Reply

Flo-Paris
Explorer
‎04-21-2021 06:11 AM

Even if Splunk field extraction wizard seems to match my fields already...

Preview file
51 KB
0 Karma
Reply

Flo-Paris
Explorer
‎04-21-2021 06:08 AM

Only "RULE_NAME" seems to be correctly extracted by default (see attachment), i don't know why...

Preview file
63 KB
0 Karma
Reply

Flo-Paris
Explorer
‎04-21-2021 06:06 AM

Exemple of original log received :

Apr 21 15:04:33 10.40.1.254 Apr 21 15:04:33 FRPARXXX0001.mydomain.local firewall: msg_id="3000-0151" Allow Firebox EXT-FIBER-XXX-100 udp 1XX.XXX.XXX.1 1.XXX.XXX.10 39010 53 dst_user="administrator@mydomain.local" duration="32" sent_bytes="68" rcvd_bytes="128" (Any From Firebox-00)

0 Karma
Reply
Get Updates on the Splunk Community!

There's No Place Like Chrome and the Splunk Platform

Watch On DemandMalware. Risky Extensions. Data Exfiltration. End-users are increasingly reliant on browsers to ...

The Great Resilience Quest: 5th Leaderboard Update

The fifth leaderboard update for The Great Resilience Quest is out &gt;&gt; &#x1f3c6; Check out the ...

Devesh Logendran, Splunk, and the Singapore Cyber Conquest

At this year’s Splunk University, I had the privilege of chatting with Devesh Logendran, one of the winners in ...