Solved: Re: How do I write the regex to properly extract a...

pmloikju · ‎08-19-2015

Hi,

I need to extract attack names from Fortigate logs. All attack logs are the same, but only a few are correctly extracted.

As you can see below, the two first attack fields are correctly extracted with "WebRTC..." but the other with "Nuclear.exploit.Kit" or "OpenSSL.ChangeCipher.Injection" are not detected.

I tried to manually extract the fields using regex, but I didn't succeed using the extract command.

Thanks for help 😉

somesoni2 · ‎08-19-2015

Try something like this for start

your base search | rex field=_raw "attack=\"(?<attack>[^\"]+)\"" | rest of the search

Once this works, you can save this field extraction by Splunk web (Settings->Fields->Field extractions) OR props.conf within the app.

View solution in original post

somesoni2 · ‎08-19-2015

Try something like this for start

your base search | rex field=_raw "attack=\"(?<attack>[^\"]+)\"" | rest of the search

Once this works, you can save this field extraction by Splunk web (Settings->Fields->Field extractions) OR props.conf within the app.

pmloikju · ‎08-19-2015

Whoo! Amazing, thanks !
It's work perfectly
i'll try to understand this regex !

richgalloway · ‎08-19-2015

What is the regex string you're using?

---
If this reply helps you, Karma would be appreciated.

pmloikju · ‎08-19-2015

I use auto extract by default, all selected field are correctly extract except attack.

I try "extract new fields" in the bottom of the left column in event tab.

I manualy select attack="values" or just the values but i can't get all attack values been extract.

I need attack="*"

How do I write the regex to properly extract all attack names from my sample Fortigate logs?

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk