Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Field extraction

splunkingsplun1
Explorer
‎02-06-2014 08:24 AM

I used the IFX tool in Splunk for some of my logs. I am trying to extract the severity of attacks in my IPS logs which are categorized (high, medium, low, info/informational). The logs look something like this:

Dec 25 08:58:14 172.16.48.100 Netdefender: 25-12-2013 08:55:21 WARNING 12572 Intrusions "SIP-Scanner-SIPVicious" UDP 188.138.34.198 5077 172.16.48.100 5060 1 Regular "Primary_Aggregate" occur 1 3 N/A 0 N/A high drop FFFFFFFF-FFFF-FFFF-0027-000052F2B407

Dec 25 08:55:21 172.16.48.150 Netdefender: 25-12-2013 08:55:21 WARNING 350 Anti-Scanning "TCP Scan" TCP 198.20.99.130 0 0.0.0.0 0 0 Regular "Primary_Aggregate" ongoing 0 0 N/A 0 N/A medium drop FFFFFFFF-FFFF-FFFF-1E24-000052F089EF

Dec 25 08:55:26 172.16.48.200 Netdefender: 25-12-2013 08:55:20 WARNING 350 Anti-Scanning "TCP Scan" TCP 42.114.23.195 0 0.0.0.0 0 0 Regular "Primary_Aggregate" ongoing 3 1 N/A 0 N/A medium drop FFFFFFFF-FFFF-FFFF-52BF-000F521C7F60

Dec 25 08:55:16 172.16.48.150 Netdefender: 25-12-2013 08:55:16 WARNING 350 Anti-Scanning "TCP Scan" TCP 198.20.99.130 0 0.0.0.0 0 0 Regular "Primary_Aggregate" ongoing 2 0 N/A 0 N/A medium drop FFFFFFFF-FFFF-FFFF-1E24-000052F089EF

Dec 25 08:55:16 172.16.48.150 Netdefender: 25-12-2013 08:55:16 WARNING 350 Anti-Scanning "TCP Scan" TCP 198.20.99.130 0 0.0.0.0 0 1 Regular "Primary_Aggregate" start 0 0 N/A 0 N/A medium drop FFFFFFFF-FFFF-FFFF-1E24-000052F089EF

Dec 25 08:55:21 172.16.48.200 Netdefender: 25-12-2013 08:55:15 WARNING 350 Anti-Scanning "TCP Scan" TCP 198.143.173.176 0 0.0.0.0 0 0 Regular "Primary_Aggregate" term 0 0 N/A 0 N/A medium drop FFFFFFFF-FFFF-FFFF-6C70-000F521C7F60

This is the regex that IFX generated:

(?i)/.*? (?P<FIELDNAME>[a-z]+)(?= )

So to test I did:

sourcetype=netdefender | rex field=_raw "(?i)/.*? (?P<FIELDNAME>[a-z]+)(?= )"

For some reason the field FIELDNAME is extracting some occurrences of the values (term, ongoing, sampled, TCP). Does anyone have any ideas on a regex they can help me with?

Reply
1 Solution
Solved! Jump to solution
Solution

gfuente
Motivator
‎02-06-2014 08:35 AM

Hello

You can use this regex instead:

\s(?<severity>high|medium|info|informational|low)\s

In your search

sourcetype=netdefender | rex field=_raw "\s(?<severity>high|medium|info|informational|low)\s"

Regards

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

gfuente
Motivator
‎02-06-2014 08:35 AM

Hello

You can use this regex instead:

\s(?<severity>high|medium|info|informational|low)\s

In your search

sourcetype=netdefender | rex field=_raw "\s(?<severity>high|medium|info|informational|low)\s"

Regards

0 Karma
Reply
Solved! Jump to solution

splunkingsplun1
Explorer
‎02-06-2014 09:04 AM

Yes that seems to be the obvious answer... Sorry! Low on caffeine and a beginning regexer is my excuse.

0 Karma
Reply
Get Updates on the Splunk Community!

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...