Splunk Search

How to exclude a match in regex - Regex

Kanesol
Explorer

I have this search:

index="blah" source="blah" cs_Referer_="-" NOT(some keyword exclusion here) | regex cs_host="^(\b\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}\b)+"

and I wish to add this to it as a NOT :

regex cs_uri_stem="\?d=[\w.]+@\w+.\w+"

Not sure how to go about this. Any Input is appreciated.

Tags (1)
1 Solution

hexx
Splunk Employee
Splunk Employee

I think you've got the most reasonable solution already with this search:

index="blah" source="blah" cs_Referer_="-" NOT(some keyword exclusion here) | regex cs_host="^(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b)+" | regex cs_uri_stem="\?d=[\w.]+@\w+.\w+"

Attempting to contract both regular expressions into one probably won't yield any performance benefits.

View solution in original post

hexx
Splunk Employee
Splunk Employee

I think you've got the most reasonable solution already with this search:

index="blah" source="blah" cs_Referer_="-" NOT(some keyword exclusion here) | regex cs_host="^(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b)+" | regex cs_uri_stem="\?d=[\w.]+@\w+.\w+"

Attempting to contract both regular expressions into one probably won't yield any performance benefits.

Kanesol
Explorer

Thanks for confirming that for me. I was hoping for something a little nicer.

0 Karma

Kanesol
Explorer

To update, I've resorted to just adding more and more pipes for each regex which I believe is not optimal but serviceable. I'm hoping someone can come up with a more elegant way 🙂

index="blah" source="blah" cs_Referer_="-" NOT(some keyword exclusion here) | regex cs_host="^(bd{1,3}.d{1,3}.d{1,3}.d{1,3}b)+" | regex cs_uri_stem!="?d=[w.]+@w+.w+"

Get Updates on the Splunk Community!

Operationalizing TDIR: Building a More Resilient, Scalable SOC

Optimizing SOC workflows with a unified, risk-based approach to Threat Detection, Investigation, and Response ...

Almost Too Eventful Assurance: Part 1

Modern IT and Network teams still struggle with too many alerts and isolating issues before they are notified. ...

Demo Day: Strengthen Your SOC with Splunk Enterprise Security 8.1

Today’s threat landscape is more complex than ever. Security operation centers (SOCs) are overwhelmed with ...