Splunk Search

Help with Regex...?

prakash007
Builder

I'm trying to extract the following from this regex...somehow i am not able to get the browser agent and status...

some of the data doesn't have a user agent..any help to get IP, UserAgent(optional), status

(?P<method>\w+)\s(?P<URL>.*)?\s\-\s(?P<port>\d+)\s\-\s(?P<IP>\d+\.\d+\.\d+\.\d+)\s?\-?\s(?P<UserAgent>.*\))?\s?(?P<status>\d+)


GET /user/stell_static/legacy/css/share.css - 443 - 192.188.2.0 - 404

GET / - 443 - 192.168.28.0 - 200 0 0 0

GET /public/about.html - 443 - 192.168.26.7 - 403

POST /data/willer/testsample.php - 443 - 192.168.20.1 Mozilla/4.0+(Windows;+U;+Windows+NT+5.1;+en-US;+rv:1.8.1.14) 404 0 2 0

GET /ajax/real/setsample.asp - 443 - 192.168.21.0 Mozilla/5.0+(Windows+NT+5.1;+WOW64;+rv:35.0)+Gecko/20980000+Firefox/45.0 200 0 0 31 #apache webserver services #version5.5
Tags (2)
0 Karma
1 Solution

somesoni2
Revered Legend

This should do it

(?P<method>\w+)\s+(?P<URL>\S+)\s+\S+\s+(?P<port>\d+)\s+\S+\s+(?P<IP>\d+\.\d+\.\d+\.\d+)\s+(?P<UserAgent>\S+)\s+(?P<status>\d+)

https://regex101.com/r/Vg9lbg/1

View solution in original post

0 Karma

gokadroid
Motivator

This will work for all you cases:

(?P<method>[\w]+)\s+(?P<URL>[^\s]+)\s+\S+\s+(?P<port>[\d]+)\s+\S+\s+(?P<IP>[\d\.]+)\s+(?P<UserAgent>[\S]+)\s+(?P<status>[\d]+)

inventsekar
SplunkTrust
SplunkTrust

tested and its working good..

sourcetype="post" 
| rex field=_raw "(?P<method>\w+)\s(?P<URL>.*)?\s\-\s(?P<port>\d{3})\s\-\s(?P<IP>\d+\.\d+\.\d+\.\d+)\s(?P<UserAgent>.*)\s(?P<status>\d{3})"
| table method URL port IP UserAgent status _raw

alt text

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !

somesoni2
Revered Legend

This should do it

(?P<method>\w+)\s+(?P<URL>\S+)\s+\S+\s+(?P<port>\d+)\s+\S+\s+(?P<IP>\d+\.\d+\.\d+\.\d+)\s+(?P<UserAgent>\S+)\s+(?P<status>\d+)

https://regex101.com/r/Vg9lbg/1

0 Karma

gcusello
SplunkTrust
SplunkTrust

Try this one:

(?P<method>\w+)\s(?P<URL>.*)?\s\-\s(?P<port>\d+)\s\-\s(?P<IP>\d+\.\d+\.\d+\.\d+)\s(?P<UserAgent>[^ ]*)?\s?(?P<status>\d\d\d)

If you want to modify it test on https://regex101.com/

Bye.
Giuseppe

0 Karma

prakash007
Builder

somehow it's not working well for this kind of data

GET /ajax/real/setsample.asp - 443 - 192.168.21.0 Mozilla/5.0+(Windows+NT+5.1;+WOW64;+rv:35.0)+Gecko/20980000+Firefox/45.0 200 0 0 31 950 #softwate#apache 560 731

UserAgent=Mozilla/5.0+(Windows+NT+5.1;+WOW64;+rv:35.0)+Gecko/20980000+Firefox/45.0 200 0 0 31 950 #softwate#apache 560
 expected(UserAgent=Mozilla/5.0+(Windows+NT+5.1;+WOW64;+rv:35.0)+Gecko/20980000+Firefox/45.0)

status=731
(expected status=200)

GET / - 443 - 192.168.67.1 - 200 0 0 202

UserAgent= -200
(expected UserAgent = -)

status=202
(expected status=200)
0 Karma

skoelpin
SplunkTrust
SplunkTrust

You should create 2 separate fields for the user agent string and the status code

User gent string regex
(?P<UserAgent>\d+\.\d+\.\d+\.\d+\s(\S+))

0 Karma
Get Updates on the Splunk Community!

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Hey, Splunk Community! Ready to take your data management skills to the next level? Join us for a 3-part ...

Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk

In today's digital financial ecosystem, security teams face an unprecedented challenge. The sheer volume of ...

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability As businesses scale ...