Splunk Search

How do I send syslog data to nullQueue from a single source IP but multiple destination IPs?

scottrunyon
Contributor

I am receiving Syslog data from the firewall and I would like to send a subset of it to the nullQueue.

The issue I am having is that I have two set values (action and srcip) but 6 values for the destination.

The formats of the fields of the raw data are -

action="deny" scrip=10.12.55.55 dstip=192.168.10.0 

The regex I have come up with is:

(?:srcip\=10\\.12\\.55\\.55)|(?:dstip\=192\\.168\\.10\\.*)|(?:dstip\=172\\.16\\.10\\.*)|(?:dstip\=172\\.18\\.10\\.*)|(?:action\=\"deny\")

What happens is that the "|" acts as an "or" so I will be dumping too much information.

My question is what is the format to place in transforms.conf to filter out the events to be dropped?

Regards,

Scott

0 Karma

gcusello
Esteemed Legend

Hi @scottrunyon,
it's not clear for me if you want to discard the events whereall the three conditions are true ( action="deny" scrip=10.12.55.55 dstip=192.168.10.0) or only events where the condition 1 and 2 or 3 are true ( action="deny" AND (scrip=10.12.55.55 OR dstip=192.168.10.0)).
If the first, the regex is easy:

action="deny" scrip=10.12.55.55 dstip=192.168.10.0

you can test it at https://regex101.com/r/ROejtS/1
if the second:

action\=\"deny\" (scrip\=10\.12\.55\.55)|(dstip=192\.168\.10\.0)

that you can test at https://regex101.com/r/ROejtS/2

Use always Code Sample button (101010) to insert a regex in a question, otherwise we cannot see your regex.

Ciao.
Giuseppe

0 Karma

scottrunyon
Contributor

Giuseppe,
Thanks for the response. I want to dump the events where action="deny" and scrip=10.12.55.55 are always present and there can be multiple dstip entries. Based on your answer, will the regex in transforms.conf look like this?

(?:action=\"deny\") (?:srcip=10.12.55.55) (?:dstip=192.168.10.)|(?:dstip=172.16.10.)|(?:dstip=172.18.10.)

Regards,

Scott

0 Karma

scottrunyon
Contributor

Giuseppe,

I ended up adding a seperate transforms.conf entry for each dstip. After testing, it appears to be working.

Regards,

Scott

0 Karma
Get Updates on the Splunk Community!

Observability Highlights | November 2022 Newsletter

 November 2022Observability CloudEnd Of Support Extension for SignalFx Smart AgentSplunk is extending the End ...

Avoid Certificate Expiry Issues in Splunk Enterprise with Certificate Assist

This blog post is part 2 of 4 of a series on Splunk Assist. Click the links below to see the other ...

Using Machine Learning for Hunting Security Threats

REGISTER NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more ...