Splunk Search

How do I write the regex to properly extract all attack names from my sample Fortigate logs?

Explorer

Hi,

I need to extract attack names from Fortigate logs. All attack logs are the same, but only a few are correctly extracted.

As you can see below, the two first attack fields are correctly extracted with "WebRTC..." but the other with "Nuclear.exploit.Kit" or "OpenSSL.ChangeCipher.Injection" are not detected.

I tried to manually extract the fields using regex, but I didn't succeed using the extract command.
alt text

Thanks for help 😉

0 Karma
1 Solution

SplunkTrust
SplunkTrust

Try something like this for start

your base search | rex field=_raw "attack=\"(?<attack>[^\"]+)\"" | rest of the search

Once this works, you can save this field extraction by Splunk web (Settings->Fields->Field extractions) OR props.conf within the app.

View solution in original post

SplunkTrust
SplunkTrust

Try something like this for start

your base search | rex field=_raw "attack=\"(?<attack>[^\"]+)\"" | rest of the search

Once this works, you can save this field extraction by Splunk web (Settings->Fields->Field extractions) OR props.conf within the app.

View solution in original post

Explorer

Whoo! Amazing, thanks !
It's work perfectly
i'll try to understand this regex !

SplunkTrust
SplunkTrust

What is the regex string you're using?

---
If this reply helps you, an upvote would be appreciated.
0 Karma

Explorer

I use auto extract by default, all selected field are correctly extract except attack.

I try "extract new fields" in the bottom of the left column in event tab.

I manualy select attack="values" or just the values but i can't get all attack values been extract.

I need attack="*"

0 Karma