Splunk Search

How do I write the regex to properly extract all attack names from my sample Fortigate logs?

Explorer

Hi,

I need to extract attack names from Fortigate logs. All attack logs are the same, but only a few are correctly extracted.

As you can see below, the two first attack fields are correctly extracted with "WebRTC..." but the other with "Nuclear.exploit.Kit" or "OpenSSL.ChangeCipher.Injection" are not detected.

I tried to manually extract the fields using regex, but I didn't succeed using the extract command.
alt text

Thanks for help 😉

0 Karma
1 Solution

SplunkTrust
SplunkTrust

Try something like this for start

your base search | rex field=_raw "attack=\"(?<attack>[^\"]+)\"" | rest of the search

Once this works, you can save this field extraction by Splunk web (Settings->Fields->Field extractions) OR props.conf within the app.

View solution in original post

SplunkTrust
SplunkTrust

Try something like this for start

your base search | rex field=_raw "attack=\"(?<attack>[^\"]+)\"" | rest of the search

Once this works, you can save this field extraction by Splunk web (Settings->Fields->Field extractions) OR props.conf within the app.

View solution in original post

Explorer

Whoo! Amazing, thanks !
It's work perfectly
i'll try to understand this regex !

SplunkTrust
SplunkTrust

What is the regex string you're using?

---
If this reply helps you, an upvote would be appreciated.
0 Karma

Explorer

I use auto extract by default, all selected field are correctly extract except attack.

I try "extract new fields" in the bottom of the left column in event tab.

I manualy select attack="values" or just the values but i can't get all attack values been extract.

I need attack="*"

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!