| rex "(?<action>Last Matched Message: \",\"action\"\w+):\"alert\""

This one  is not working ...

In what way is it not working?

Regex is not matching with the XML log

Please can you share an anonymised sample of the XML log you are trying to extract from?

format":"json","version":"1.0",ta":"20829","":"","selector":"REQUEST_HEADERS:Content-Length","tag":"ASE/","id":"3000180","message":"Partial Request Body Inspection Warning - Request Body is larger than the configured inspection limit","version":"1"},{"data":"Vector Score: 1000, Group Threshold: 9, Triggered Rules: 3000180, Triggered Scores: 1000, Triggered Selector: REQUEST_HEADERS:Content-Length, Mitigated Rules: , "selector":"REQUEST_HEADERS:Content-L

Sorry, there was an extra \w+ which was unnecessary

| makeresults
| fields - _time
``` Set up example data ```
| eval _raw="format\":\"json\",\"version\":\"1.0\",\"attackData\":{\"rules\":[{\"data\":\"20829\",\"action\":\"alert\",\"selector\":\"REQUEST_HEADERS:Content-Length\",\"tag\":\"ASE/WEB_ATTACK/POLICY\",\"id\":\"3000180\",\"message\":\"Partial Request Body Inspection Warning - Request Body is larger than the configured inspection limit\",\"version\":\"1\"},{\"data\":\"Vector Score: 1000, Group Threshold: 9, Triggered Rules: 3000180, Triggered Scores: 1000, Triggered Selector: REQUEST_HEADERS:Content-Length, Mitigated Rules: , Last Matched Message: \",\"action\":\"alert\",\"selector\":\"REQUEST_HEADERS:Content-Length\",\"tag\":\"ASE/WEB_ATTACK/POLICY\",\"id\":\"POLICY-"
``` ---------------------- ```

``` rex to extract the values ```
| rex "(?<action>Last Matched Message: \",\"action\"):\"alert\""

btw, your example is not XML, it looks more like part of a JSON message

• @ITWhisperer
• I should get the variables "alert" or "deny " but using the below rex , the result it is showing
  Last Matched Message: ","action"
  | rex "(?<action>Last Matched Message: \",\"action\"):\"alert\""

Where does "deny" come from?

Please provide events showing each of these conditions and how you determine when the "deny" or "alert" field should be populated? (I am assuming by variable you mean field!)

<>

| rex "Last Matched Message: \",\"action\":\"(?<alert>alert)"
| rex "Last Matched Message: \",\"action\":\"(?<deny>deny)"

@ITWhisperer

is there any scope to get the variable deny/alert we get under one field extraction?

| rex "Last Matched Message: \",\"action\":\"(?<alert>alert)|(?<deny>deny)"

@ yuanliu @ITWhisperer

help in extracting the field AKAMAI/WAF/* ( * represents they may be values present followed by AKAMAI/WAF/------) in from "tag":"AKAMAI/WAF/PENALTYBOX"

thanks

,............

Again, it is unclear whether this "field name" in your posting represents an existing field or is it your desire to create a new field named as such. I'll take a blind shot by assuming the latter. (But first, the data in this one is drastically different from your original post. In the future, please post as a new one so others who have a similar problem may search it up. Also, if the original problem is solved, you should accept one of answers as solution so people know it is solved.)

| rex mode=sed "s/:AKAMAI\/(\w+)\/(.+)/:AKAMAI_\1=\"\2\"/"
| rex mode=sed "s/:ASE\/(\w+)\/(.+)/:ASE\/\1=\"\2\"/"
| rex mode=sed "s/:(IPBLOCK\/.+)/:ip_Attack=\"\1\"/"
| rex mode=sed "s/:(CUSTOM_AKA\/.+)/:Custom_Rules=\"\1\"/"

• @yuanliu
• @ITWhisperer
• Could you help me in extracting the above mentioned new fields.