Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Help with regex search
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jhampton3rd
Explorer
07-24-2014
02:45 PM
Good Afternoon,
I would like to use a regex search to get "Inbound TCP connection denied" and "High". What's the correct regex command to pull these out of the CEF event. Also, I'll eventually would like to create a table showing how many "High", "Medium", "Low" events show up in the last hour.
Jul 24 11:32:11 host-host-h05 CEF:0|CISCO|ASA||106001|Inbound TCP connection denied|High| eventId=1247891
Thanks for your help.
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
lguinn2
Legend
07-24-2014
03:41 PM
I don't think you want regex - if what you want to do is to extract the data into a field, you want rex. For example
yoursearchhere
| rex "(?:.*?\|){5}(?<message>.*?)\|(?<level>.*?)\|"
This gives you two fields message and level. It assumes that there are 5 | (pipe) symbols before the message string and that the fields are delimited with additional |.
You could get the table by doing this
yoursearchhere
| rex "(?:.*?\|){5}(?<message>.*?)\|(?<level>.*?)\|"
| stats count by level
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
lguinn2
Legend
07-24-2014
03:41 PM
I don't think you want regex - if what you want to do is to extract the data into a field, you want rex. For example
yoursearchhere
| rex "(?:.*?\|){5}(?<message>.*?)\|(?<level>.*?)\|"
This gives you two fields message and level. It assumes that there are 5 | (pipe) symbols before the message string and that the fields are delimited with additional |.
You could get the table by doing this
yoursearchhere
| rex "(?:.*?\|){5}(?<message>.*?)\|(?<level>.*?)\|"
| stats count by level
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jhampton3rd
Explorer
07-25-2014
05:30 AM
Thanks lguinn. Big Help!!!
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Get Updates on the Splunk Community!
Tech Talk Recap | Mastering Threat Hunting
Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...
Observability for AI Applications: Troubleshooting Latency
If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...
Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?
In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...
