Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I write the regex to properly extract all attack names from my sample Fortigate logs?

pmloikju
Explorer
‎08-19-2015 06:25 AM

Hi,

I need to extract attack names from Fortigate logs. All attack logs are the same, but only a few are correctly extracted.

As you can see below, the two first attack fields are correctly extracted with "WebRTC..." but the other with "Nuclear.exploit.Kit" or "OpenSSL.ChangeCipher.Injection" are not detected.

I tried to manually extract the fields using regex, but I didn't succeed using the extract command.
alt text

Thanks for help 😉

Preview file
453 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎08-19-2015 07:39 AM

Try something like this for start

your base search | rex field=_raw "attack=\"(?<attack>[^\"]+)\"" | rest of the search

Once this works, you can save this field extraction by Splunk web (Settings->Fields->Field extractions) OR props.conf within the app.

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎08-19-2015 07:39 AM

Try something like this for start

your base search | rex field=_raw "attack=\"(?<attack>[^\"]+)\"" | rest of the search

Once this works, you can save this field extraction by Splunk web (Settings->Fields->Field extractions) OR props.conf within the app.

Reply
Solved! Jump to solution

pmloikju
Explorer
‎08-19-2015 07:53 AM

Whoo! Amazing, thanks !
It's work perfectly
i'll try to understand this regex !

Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎08-19-2015 06:38 AM

What is the regex string you're using?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

pmloikju
Explorer
‎08-19-2015 07:05 AM

I use auto extract by default, all selected field are correctly extract except attack.

I try "extract new fields" in the bottom of the left column in event tab.

I manualy select attack="values" or just the values but i can't get all attack values been extract.

I need attack="*"

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...