Good Afternoon,
I would like to use a regex search to get "Inbound TCP connection denied" and "High". What's the correct regex command to pull these out of the CEF event. Also, I'll eventually would like to create a table showing how many "High", "Medium", "Low" events show up in the last hour.
Jul 24 11:32:11 host-host-h05 CEF:0|CISCO|ASA||106001|Inbound TCP connection denied|High| eventId=1247891
Thanks for your help.
I don't think you want regex
- if what you want to do is to extract the data into a field, you want rex
. For example
yoursearchhere
| rex "(?:.*?\|){5}(?<message>.*?)\|(?<level>.*?)\|"
This gives you two fields message
and level
. It assumes that there are 5 |
(pipe) symbols before the message string and that the fields are delimited with additional |
.
You could get the table by doing this
yoursearchhere
| rex "(?:.*?\|){5}(?<message>.*?)\|(?<level>.*?)\|"
| stats count by level
I don't think you want regex
- if what you want to do is to extract the data into a field, you want rex
. For example
yoursearchhere
| rex "(?:.*?\|){5}(?<message>.*?)\|(?<level>.*?)\|"
This gives you two fields message
and level
. It assumes that there are 5 |
(pipe) symbols before the message string and that the fields are delimited with additional |
.
You could get the table by doing this
yoursearchhere
| rex "(?:.*?\|){5}(?<message>.*?)\|(?<level>.*?)\|"
| stats count by level
Thanks lguinn. Big Help!!!