Splunk Search

Help on REGEX match ignoring non-mandatory string at its end

Flo-Paris
Explorer

Hello,

i searched few hours how to extract the RULE_NAME field from my Firewall logs without success.

RULE_NAME is at the end of the log line, between (). It can contain any characters, space, "-" or "_".

My problem comes from the fact that the RULE_NAME is sometimes finished by a 3 characters string i need to remove : "-00"

 

Here is my actual REGEX, but it does't works for the simple "Internal Policy" RULE_NAME : 

.*\s+\((?P<RULE_NAME>.*)?(-00)\)$

 

Here are original logs lines i need to match :

May 3 16:35:02 10.40.1.254 May 3 16:35:02 MYFIREWALL.mycorp.lan firewall: msg_id="3000-0148" Allow 0-SSL-VPN Firebox 73 udp 20 128 172.XXX.XXX.14 172.XXX.XXX.1 54127 53 src_user="fgi@mycorp.com" (DNS-01-proxy_user.out-00)
May 3 17:39:56 10.40.1.254 May 3 17:39:56 MYFIREWALL.mycorp.lan firewall: msg_id="3000-0148" Allow VLAN1-Lan-Trusted Firebox 69 udp 20 128 172.21.20.26 172.21.20.254 52481 53 msg="DNS Forwarding" src_user="yal@mycorp.lan" record_type="A" question="sync.srv.stackadapt.com" (Internal Policy)
May 3 16:35:02 10.40.1.254 May 3 16:35:02 MYFIREWALL.mycorp.lan firewall: msg_id="3000-0148" Allow 0-SSL-VPN Firebox 73 udp 20 128 172.XXX.XXX.14 172.XXX.XXX.1 54127 53 src_user="fgi@mycorp.com" (My super rule name with space DNS.out)

Any idea on how to ignore the "-00" suffix when present ?

thanks

Florent

 

Labels (2)
0 Karma
1 Solution

maciep
Champion

something like this maybe?

\((?<rule_name>.*?)(?:-00)?\)$

View solution in original post

maciep
Champion

speaking of which....in case there are some rogues parens in the message, maybe this is even a bit safer - instead of matching everything...

\((?<rule_name>[^\(]+?)(?:-00)?\)$

 

0 Karma

maciep
Champion

something like this maybe?

\((?<rule_name>.*?)(?:-00)?\)$

View solution in original post

Flo-Paris
Explorer

Thanks, it's perfect, seems so simple...when you master Regex ;-))

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!