Splunk Search

How do you put constraints in rex?

changj
New Member

Data:

message:

================>
Request Details:
[requestId:123122313-3453-1122-1112222]
[requestMethod = GET]
[requestUrl = http://api.dev.com/testing.json?FromDate=2019-03-06T11:00:00&ToDate=2019-03-06T12:00:00]
[requestHeaders = {x-amzn-trace-id=Root=66-2342-2342243h2hhhgh424jh3, x-forwarded-proto=https, host=api.dev.com, x-forwarded-port=443, **x-forwarded-for**=xx.xxx.xx.xxx, accept-encoding=gzip, deflate, **user-agent**=python-requests/5.26.9, accept=*/*}]

Query:

index=test_prod sourcetype="test-search-api" | rex field=message "x-forwarded-for=(?P<client_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}[^,]+)"| search client_ip="*"*

Expected output:

I'm getting all the IPs, whereas I want only those IPS in which user-agent=SFDC.

Rest of all is good with the query.

Tags (2)
0 Karma

msivill_splunk
Splunk Employee
Splunk Employee

The following might be quicker to execute (untested)

index=test_prod sourcetype="test-search-api" SFDC user-agent
| rex field=message "x-forwarded-for=(?P<client_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}[^,]+)"

By putting the search restriction "SFDC user-agent" before the first pipe should mean less work for the rex command as fewer events to process and therefore quicker.

Depending on how field extraction is done user_agent=SFDC instead of just "SFDC user-agent" might be even quicker again. If no field extraction is done try "user_agent=SFDC"

0 Karma

tsaikumar009
Explorer

index=test_prod sourcetype="test-search-api" user-agent=SFDC | rex field=message "x-forwarded-for=(?P< client_ip>\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}[^,]+)"| table client_ip

Please remove the same from above query in between P< and client_ip.

0 Karma

vnravikumar
Champion

Hi @changj

Try by adding the condition

|rex field=message "x-forwarded-for=(?P<client_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}[^,]+).*user-agent=(?P<user_agent>.*)," | where user_agent="SFDC"
0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...