Splunk Search

How to improve efficiency of my regex statement?

JoshuaJohn
Contributor

I have this query
| rex field=_raw "(?ms)^[^\]\n]\]\s+(?P[^:]+)(?:[^:\n]:){2}(?P[^,]+)[^:\n]:\w+=(?P[^,]+)[^;\n];\w+:(?P[^;]+);\w+:(?P[^;]+)(?:[^:\n]*:){2}\w+\\(?P\w+)"

I was not able to capture everything I wanted ie from the first event below: (I need Severity, Type, Status, Server, DNS, IP, UN, USERID, when unavailable would be blank)

Severity = INFO
Type = DesktopControlJMS
Status = PENDING
Server = cn=c111111f-0111-4111-a111-cc01111111
DNS = gvlcsnav4025.ad.nitro.com
IP = 10.111.111.111
UN = un12802
USERID = cn=s-2-2-22-59222222-343222254-204222229-4722223

I am trying to capture the data from events like this:

2019-01-11T07:41:10.400-06:00 INFO (4440-4444) <DesktopControlJMS> [Audit] PENDING:Server:cn=c111111f-0111-4111-a111-cc01111111,ou=servers,dc=vdi,dc=vm,dc=int;Pool:cn=gvlcsnav4,ou=server groups,dc=vdi,dc=vm,dc=int;DNS:gvlcsnav4025.ad.nitro.com;IP:10.111.111.111;IP6:null;USER:LP\un12802;USERDN:cn=s-2-2-22-59222222-343222254-204222229-4722223,cn=foreignsecurityprincipals,dc=vdi,dc=vm,dc=int;BROKERUSERSID:s-2-2-22-59222222-343222254-204222229-4722223;

    2019-01-11T07:46:06.049-06:00 INFO (4444-1300) <DesktopControlJMS> [Audit] STARTUP:Server:cn=eeeeed6-eeeb2-eee3-beed-56eeeeeeeb77,ou=servers,dc=vdi,dc=vm,dc=int;Pool:cn=gvclsnav2,ou=server groups,dc=vdi,dc=vm,dc=int;DNS:gvclsnav2069.ad.nitro.com;IP:10.990.999.1;IP6:null;

2019-01-11T07:36:03.140-06:00 INFO (1444-0622) <MachineControler> [Audit] PENDING:Server:cn=7677778c-d777-4777-a777-587777772d,ou=servers,dc=vdi,dc=vm,dc=int;Pool:cn=gvsview01,ou=server groups,dc=vdi,dc=vm,dc=int;DNS:gvsview030276.ad.nitro.com;IP:10.122.222.221;IP6:null;USER:LP\UNVA33E;USERDN:cn=s-2-2-22-5999990-343999999-204999989-469993,cn=foreignsecurityprincipals,dc=vdi,dc=vm,dc=int;BROKERUSERSID:s-2-2-22-5999990-343999999-204999989-469993;

Any suggestions or ideas would be greatly appreciated!!

0 Karma
1 Solution

JoshuaJohn
Contributor

No that didn't do it sorry. I ended up figuring it out.
| rex field=_raw "^(?:[^-\n]-){9}[a-f0-9]+)\s+\w+:\s+(?P[^ ]+)(?:[^ \n] ){2}\w+:(?P[^;]+);DomainName:(?P\w+)(?:[^:\n]:){5}(?P[^;]+);Protocol:(?P[^;]+);ClientName:(?P[^;]+)[^:\n]:(?P[^;]+);Server:(?P[^;]+)[^:\n]:(?P\w+=\w+,\w+=\w+\s+\w+,\w+=\w+,\w+=\w+,\w+=\w+)[^;\n];\w+:(?P[^/]+)/-/(?P[^;]+)"

View solution in original post

0 Karma

JoshuaJohn
Contributor

No that didn't do it sorry. I ended up figuring it out.
| rex field=_raw "^(?:[^-\n]-){9}[a-f0-9]+)\s+\w+:\s+(?P[^ ]+)(?:[^ \n] ){2}\w+:(?P[^;]+);DomainName:(?P\w+)(?:[^:\n]:){5}(?P[^;]+);Protocol:(?P[^;]+);ClientName:(?P[^;]+)[^:\n]:(?P[^;]+);Server:(?P[^;]+)[^:\n]:(?P\w+=\w+,\w+=\w+\s+\w+,\w+=\w+,\w+=\w+,\w+=\w+)[^;\n];\w+:(?P[^/]+)/-/(?P[^;]+)"

0 Karma

harsmarvania57
Ultra Champion

Hi,

EDIT: Regex updated.

I know that you solved your problem but you can try below regex which is using only 227 steps to capture required output.

| rex field=_raw "\:\d{2}\s(?<Severity>\w+)\s\(\d+-\d+\)\s\<(?<Type>\w+)\>\s\[\w+\]\s(?<Status>\w+)\:\w+\:(?<Server>[^\,]*)\,(?:[^\;]*[\;]){2}\w+\:(?<DNS>[^\;]*)\;\w+\:(?<IP>[^\;]*)\;(?:[^\;]*[\;])(?:\w+(?:[^\\]*[\\])(?<UN>\w+)\;\w+\:(?<USERDN>[^\,]*))?"

Regex with Sample Data : https://regex101.com/r/b2vjgH/3

0 Karma

lakshman239
Influencer

glad it worked, if you want to add to props.conf, you may need to tweak like the below (based on my prev one)

:\d{2}\s(?\w+).<(?\w+)>\s[\w+]\s(?\w+):Server:(?.),ou=servers,.;DNS:(?[a-z0-9.]+);IP:(?\d+.\d+.\d+.\d+).;USER:(?.);USERDN:(?.),cn

OR
base search | rex field=_raw ":\d{2}\s(?\w+).<(?\w+)>\s[\w+]\s(?\w+):Server:(?.),ou=servers,.;DNS:(?[a-z0-9.]+);IP:(?\d+.\d+.\d+.\d+).;USER:(?.);USERDN:(?.),cn"

0 Karma

lakshman239
Influencer

This should work for you - tested in regx101. Pls test and let me know

:\d{2}\s(\w+).<(\w+)>\s[\w+]\s(\w+):Server:(.),ou=servers,.;DNS:([a-z0-9.]+);IP:(\d+.\d+.\d+.\d+).;USERDN:(.*),cn

0 Karma
Get Updates on the Splunk Community!

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...

Alerting Best Practices: How to Create Good Detectors

At their best, detectors and the alerts they trigger notify teams when applications aren’t performing as ...

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...

Hey Splunky people! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2408. In this ...