Splunk Search

How to extract the field "alert" with the field name action?

balu1211
Path Finder

Hi,

how to extract the field "alert" with the field name action.

help with the regex..

Thanks.

Labels (2)
0 Karma

balu1211
Path Finder

XML 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
| rex "(?<action>Last Matched Message: \",\"action\"\w+):\"alert\""
0 Karma

balu1211
Path Finder

This one  is not working ...

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

In what way is it not working?

0 Karma

balu1211
Path Finder

Regex is not matching with the XML log

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Please can you share an anonymised sample of the XML log you are trying to extract from?

0 Karma

balu1211
Path Finder

format":"json","version":"1.0",ta":"20829","":"","selector":"REQUEST_HEADERS:Content-Length","tag":"ASE/","id":"3000180","message":"Partial Request Body Inspection Warning - Request Body is larger than the configured inspection limit","version":"1"},{"data":"Vector Score: 1000, Group Threshold: 9, Triggered Rules: 3000180, Triggered Scores: 1000, Triggered Selector: REQUEST_HEADERS:Content-Length, Mitigated Rules: , "selector":"REQUEST_HEADERS:Content-L

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Sorry, there was an extra \w+ which was unnecessary

| makeresults
| fields - _time
``` Set up example data ```
| eval _raw="format\":\"json\",\"version\":\"1.0\",\"attackData\":{\"rules\":[{\"data\":\"20829\",\"action\":\"alert\",\"selector\":\"REQUEST_HEADERS:Content-Length\",\"tag\":\"ASE/WEB_ATTACK/POLICY\",\"id\":\"3000180\",\"message\":\"Partial Request Body Inspection Warning - Request Body is larger than the configured inspection limit\",\"version\":\"1\"},{\"data\":\"Vector Score: 1000, Group Threshold: 9, Triggered Rules: 3000180, Triggered Scores: 1000, Triggered Selector: REQUEST_HEADERS:Content-Length, Mitigated Rules: , Last Matched Message: \",\"action\":\"alert\",\"selector\":\"REQUEST_HEADERS:Content-Length\",\"tag\":\"ASE/WEB_ATTACK/POLICY\",\"id\":\"POLICY-"
``` ---------------------- ```

``` rex to extract the values ```
| rex "(?<action>Last Matched Message: \",\"action\"):\"alert\""

btw, your example is not XML, it looks more like part of a JSON message

0 Karma

balu1211
Path Finder
  • @ITWhisperer
  • I should get the variables "alert" or "deny " but using the below rex , the result it is showing
    Last Matched Message: ","action"
    | rex "(?<action>Last Matched Message: \",\"action\"):\"alert\""
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Where does "deny" come from?

Please provide events showing each of these conditions and how you determine when the "deny" or "alert" field should be populated? (I am assuming by variable you mean field!)

0 Karma

balu1211
Path Finder

<>

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
| rex "Last Matched Message: \",\"action\":\"(?<alert>alert)"
| rex "Last Matched Message: \",\"action\":\"(?<deny>deny)"
0 Karma

balu1211
Path Finder

@ITWhisperer

is there any scope to get the variable deny/alert we get under one field extraction?

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
| rex "Last Matched Message: \",\"action\":\"(?<alert>alert)|(?<deny>deny)"
0 Karma

yuanliu
SplunkTrust
SplunkTrust

I'm guessing 

| rex "Last Matched Message: \",\"action\":\"(?<action>\w+)"

ITWhisperer
SplunkTrust
SplunkTrust

Please can you share some anonymised sample log events to clarify what it is you want to extract from where?

0 Karma

balu1211
Path Finder

@ yuanliu @ITWhisperer

help in extracting the field AKAMAI/WAF/* ( * represents they may be values present followed by AKAMAI/WAF/------) in from "tag":"AKAMAI/WAF/PENALTYBOX"

thanks

0 Karma

balu1211
Path Finder

,............

0 Karma

yuanliu
SplunkTrust
SplunkTrust

Again, it is unclear whether this "field name" in your posting represents an existing field or is it your desire to create a new field named as such. I'll take a blind shot by assuming the latter. (But first, the data in this one is drastically different from your original post. In the future, please post as a new one so others who have a similar problem may search it up. Also, if the original problem is solved, you should accept one of answers as solution so people know it is solved.)

| rex mode=sed "s/:AKAMAI\/(\w+)\/(.+)/:AKAMAI_\1=\"\2\"/"
| rex mode=sed "s/:ASE\/(\w+)\/(.+)/:ASE\/\1=\"\2\"/"
| rex mode=sed "s/:(IPBLOCK\/.+)/:ip_Attack=\"\1\"/"
| rex mode=sed "s/:(CUSTOM_AKA\/.+)/:Custom_Rules=\"\1\"/"
0 Karma

balu1211
Path Finder
0 Karma
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...