Solved: Help with regex search

jhampton3rd · ‎07-24-2014

Good Afternoon,

I would like to use a regex search to get "Inbound TCP connection denied" and "High". What's the correct regex command to pull these out of the CEF event. Also, I'll eventually would like to create a table showing how many "High", "Medium", "Low" events show up in the last hour.

Jul 24 11:32:11 host-host-h05 CEF:0|CISCO|ASA||106001|Inbound TCP connection denied|High| eventId=1247891

Thanks for your help.

lguinn2 · ‎07-24-2014

I don't think you want regex - if what you want to do is to extract the data into a field, you want rex. For example

yoursearchhere
| rex "(?:.*?\|){5}(?<message>.*?)\|(?<level>.*?)\|"

This gives you two fields message and level. It assumes that there are 5 | (pipe) symbols before the message string and that the fields are delimited with additional |.

You could get the table by doing this

yoursearchhere
| rex "(?:.*?\|){5}(?<message>.*?)\|(?<level>.*?)\|"
| stats count by level

View solution in original post

lguinn2 · ‎07-24-2014

I don't think you want regex - if what you want to do is to extract the data into a field, you want rex. For example

yoursearchhere
| rex "(?:.*?\|){5}(?<message>.*?)\|(?<level>.*?)\|"

This gives you two fields message and level. It assumes that there are 5 | (pipe) symbols before the message string and that the fields are delimited with additional |.

You could get the table by doing this

yoursearchhere
| rex "(?:.*?\|){5}(?<message>.*?)\|(?<level>.*?)\|"
| stats count by level

View solution in original post

jhampton3rd · ‎07-25-2014

Thanks lguinn. Big Help!!!