Solved: Help with Regex...?

prakash007 · ‎10-18-2016

I'm trying to extract the following from this regex...somehow i am not able to get the browser agent and status...

some of the data doesn't have a user agent..any help to get IP, UserAgent(optional), status

(?P<method>\w+)\s(?P<URL>.*)?\s\-\s(?P<port>\d+)\s\-\s(?P<IP>\d+\.\d+\.\d+\.\d+)\s?\-?\s(?P<UserAgent>.*\))?\s?(?P<status>\d+)


GET /user/stell_static/legacy/css/share.css - 443 - 192.188.2.0 - 404

GET / - 443 - 192.168.28.0 - 200 0 0 0

GET /public/about.html - 443 - 192.168.26.7 - 403

POST /data/willer/testsample.php - 443 - 192.168.20.1 Mozilla/4.0+(Windows;+U;+Windows+NT+5.1;+en-US;+rv:1.8.1.14) 404 0 2 0

GET /ajax/real/setsample.asp - 443 - 192.168.21.0 Mozilla/5.0+(Windows+NT+5.1;+WOW64;+rv:35.0)+Gecko/20980000+Firefox/45.0 200 0 0 31 #apache webserver services #version5.5

somesoni2 · ‎10-18-2016

This should do it

(?P<method>\w+)\s+(?P<URL>\S+)\s+\S+\s+(?P<port>\d+)\s+\S+\s+(?P<IP>\d+\.\d+\.\d+\.\d+)\s+(?P<UserAgent>\S+)\s+(?P<status>\d+)

https://regex101.com/r/Vg9lbg/1

View solution in original post

gokadroid · ‎10-18-2016

This will work for all you cases:

(?P<method>[\w]+)\s+(?P<URL>[^\s]+)\s+\S+\s+(?P<port>[\d]+)\s+\S+\s+(?P<IP>[\d\.]+)\s+(?P<UserAgent>[\S]+)\s+(?P<status>[\d]+)

inventsekar · ‎10-18-2016

tested and its working good..

sourcetype="post" 
| rex field=_raw "(?P<method>\w+)\s(?P<URL>.*)?\s\-\s(?P<port>\d{3})\s\-\s(?P<IP>\d+\.\d+\.\d+\.\d+)\s(?P<UserAgent>.*)\s(?P<status>\d{3})"
| table method URL port IP UserAgent status _raw

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !

somesoni2 · ‎10-18-2016

This should do it

(?P<method>\w+)\s+(?P<URL>\S+)\s+\S+\s+(?P<port>\d+)\s+\S+\s+(?P<IP>\d+\.\d+\.\d+\.\d+)\s+(?P<UserAgent>\S+)\s+(?P<status>\d+)

https://regex101.com/r/Vg9lbg/1

gcusello · ‎10-18-2016

Try this one:

(?P<method>\w+)\s(?P<URL>.*)?\s\-\s(?P<port>\d+)\s\-\s(?P<IP>\d+\.\d+\.\d+\.\d+)\s(?P<UserAgent>[^ ]*)?\s?(?P<status>\d\d\d)

If you want to modify it test on https://regex101.com/

Bye.
Giuseppe

prakash007 · ‎10-18-2016

somehow it's not working well for this kind of data

GET /ajax/real/setsample.asp - 443 - 192.168.21.0 Mozilla/5.0+(Windows+NT+5.1;+WOW64;+rv:35.0)+Gecko/20980000+Firefox/45.0 200 0 0 31 950 #softwate#apache 560 731

UserAgent=Mozilla/5.0+(Windows+NT+5.1;+WOW64;+rv:35.0)+Gecko/20980000+Firefox/45.0 200 0 0 31 950 #softwate#apache 560
 expected(UserAgent=Mozilla/5.0+(Windows+NT+5.1;+WOW64;+rv:35.0)+Gecko/20980000+Firefox/45.0)

status=731
(expected status=200)

GET / - 443 - 192.168.67.1 - 200 0 0 202

UserAgent= -200
(expected UserAgent = -)

status=202
(expected status=200)

skoelpin · ‎10-18-2016

You should create 2 separate fields for the user agent string and the status code

User gent string regex
(?P<UserAgent>\d+\.\d+\.\d+\.\d+\s(\S+))

Help with Regex...?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?