Splunk Search

How to improve efficiency of my regex statement?

JoshuaJohn
Contributor

I have this query
| rex field=_raw "(?ms)^[^\]\n]\]\s+(?P[^:]+)(?:[^:\n]:){2}(?P[^,]+)[^:\n]:\w+=(?P[^,]+)[^;\n];\w+:(?P[^;]+);\w+:(?P[^;]+)(?:[^:\n]*:){2}\w+\\(?P\w+)"

I was not able to capture everything I wanted ie from the first event below: (I need Severity, Type, Status, Server, DNS, IP, UN, USERID, when unavailable would be blank)

Severity = INFO
Type = DesktopControlJMS
Status = PENDING
Server = cn=c111111f-0111-4111-a111-cc01111111
DNS = gvlcsnav4025.ad.nitro.com
IP = 10.111.111.111
UN = un12802
USERID = cn=s-2-2-22-59222222-343222254-204222229-4722223

I am trying to capture the data from events like this:

2019-01-11T07:41:10.400-06:00 INFO (4440-4444) <DesktopControlJMS> [Audit] PENDING:Server:cn=c111111f-0111-4111-a111-cc01111111,ou=servers,dc=vdi,dc=vm,dc=int;Pool:cn=gvlcsnav4,ou=server groups,dc=vdi,dc=vm,dc=int;DNS:gvlcsnav4025.ad.nitro.com;IP:10.111.111.111;IP6:null;USER:LP\un12802;USERDN:cn=s-2-2-22-59222222-343222254-204222229-4722223,cn=foreignsecurityprincipals,dc=vdi,dc=vm,dc=int;BROKERUSERSID:s-2-2-22-59222222-343222254-204222229-4722223;

    2019-01-11T07:46:06.049-06:00 INFO (4444-1300) <DesktopControlJMS> [Audit] STARTUP:Server:cn=eeeeed6-eeeb2-eee3-beed-56eeeeeeeb77,ou=servers,dc=vdi,dc=vm,dc=int;Pool:cn=gvclsnav2,ou=server groups,dc=vdi,dc=vm,dc=int;DNS:gvclsnav2069.ad.nitro.com;IP:10.990.999.1;IP6:null;

2019-01-11T07:36:03.140-06:00 INFO (1444-0622) <MachineControler> [Audit] PENDING:Server:cn=7677778c-d777-4777-a777-587777772d,ou=servers,dc=vdi,dc=vm,dc=int;Pool:cn=gvsview01,ou=server groups,dc=vdi,dc=vm,dc=int;DNS:gvsview030276.ad.nitro.com;IP:10.122.222.221;IP6:null;USER:LP\UNVA33E;USERDN:cn=s-2-2-22-5999990-343999999-204999989-469993,cn=foreignsecurityprincipals,dc=vdi,dc=vm,dc=int;BROKERUSERSID:s-2-2-22-5999990-343999999-204999989-469993;

Any suggestions or ideas would be greatly appreciated!!

0 Karma
1 Solution

JoshuaJohn
Contributor

No that didn't do it sorry. I ended up figuring it out.
| rex field=_raw "^(?:[^-\n]-){9}[a-f0-9]+)\s+\w+:\s+(?P[^ ]+)(?:[^ \n] ){2}\w+:(?P[^;]+);DomainName:(?P\w+)(?:[^:\n]:){5}(?P[^;]+);Protocol:(?P[^;]+);ClientName:(?P[^;]+)[^:\n]:(?P[^;]+);Server:(?P[^;]+)[^:\n]:(?P\w+=\w+,\w+=\w+\s+\w+,\w+=\w+,\w+=\w+,\w+=\w+)[^;\n];\w+:(?P[^/]+)/-/(?P[^;]+)"

View solution in original post

0 Karma

JoshuaJohn
Contributor

No that didn't do it sorry. I ended up figuring it out.
| rex field=_raw "^(?:[^-\n]-){9}[a-f0-9]+)\s+\w+:\s+(?P[^ ]+)(?:[^ \n] ){2}\w+:(?P[^;]+);DomainName:(?P\w+)(?:[^:\n]:){5}(?P[^;]+);Protocol:(?P[^;]+);ClientName:(?P[^;]+)[^:\n]:(?P[^;]+);Server:(?P[^;]+)[^:\n]:(?P\w+=\w+,\w+=\w+\s+\w+,\w+=\w+,\w+=\w+,\w+=\w+)[^;\n];\w+:(?P[^/]+)/-/(?P[^;]+)"

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

Hi,

EDIT: Regex updated.

I know that you solved your problem but you can try below regex which is using only 227 steps to capture required output.

| rex field=_raw "\:\d{2}\s(?<Severity>\w+)\s\(\d+-\d+\)\s\<(?<Type>\w+)\>\s\[\w+\]\s(?<Status>\w+)\:\w+\:(?<Server>[^\,]*)\,(?:[^\;]*[\;]){2}\w+\:(?<DNS>[^\;]*)\;\w+\:(?<IP>[^\;]*)\;(?:[^\;]*[\;])(?:\w+(?:[^\\]*[\\])(?<UN>\w+)\;\w+\:(?<USERDN>[^\,]*))?"

Regex with Sample Data : https://regex101.com/r/b2vjgH/3

0 Karma

lakshman239
SplunkTrust
SplunkTrust

glad it worked, if you want to add to props.conf, you may need to tweak like the below (based on my prev one)

:\d{2}\s(?\w+).<(?\w+)>\s[\w+]\s(?\w+):Server:(?.),ou=servers,.;DNS:(?[a-z0-9.]+);IP:(?\d+.\d+.\d+.\d+).;USER:(?.);USERDN:(?.),cn

OR
base search | rex field=_raw ":\d{2}\s(?\w+).<(?\w+)>\s[\w+]\s(?\w+):Server:(?.),ou=servers,.;DNS:(?[a-z0-9.]+);IP:(?\d+.\d+.\d+.\d+).;USER:(?.);USERDN:(?.),cn"

0 Karma

lakshman239
SplunkTrust
SplunkTrust

This should work for you - tested in regx101. Pls test and let me know

:\d{2}\s(\w+).<(\w+)>\s[\w+]\s(\w+):Server:(.),ou=servers,.;DNS:([a-z0-9.]+);IP:(\d+.\d+.\d+.\d+).;USERDN:(.*),cn

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...