Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to replace a string with RegEx in search result

Dolfing
Explorer
‎06-13-2022 06:02 AM

I have my Sonicwall logfiles coming into Splunk. By searching this index I want to replace "dst" (Destination IP address) without portnumber and interface with (for example) RegEx. Note that the formats used for "src" and "dst" = (ip address):(port number):(interface)

So when I do a search like (NOTE: the red sentence is my own attempt, however, it does not give a result I had in mind.):

index=sonicwall msg="Connection Opened" OR msg="Connection Closed" earliest=-2m latest=-1m
| eval dst=if(match(dst, "\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}:\d{1,5}:X\d{1}"), dst, replace(dst, "(\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}):\d{1,5}:X\d{1}","\1"))
| stats first(_time) as _time by src dst proto msg
| inputlookup append=t firewall_open_connections
| fillnull msg value="Connection Opened"
| eval closed=if(msg="Connection Closed",_time,"1")
| eval open=if(msg="Connection Opened",_time,"1")
| stats first(open) as open first(closed) as closed by src dst proto
| where open > closed
| rename open as _time
| fields src dst proto _time
| outputlookup firewall_open_connections

Results in:

src

dst

proto

_time

10.0.1.5:50492:X2

8.8.8.8:53:X1

udp/dns

2022-06-14 15:40:08

192.168.1.100:37016:X0

54.81.233.206:443:X1

tcp/https

2022-06-14 15:39:01

192.168.1.100:38376:X0

104.244.42.130:443:X1

tcp/https

2022-06-14 14:49:14

192.168.1.100:38611:X0

172.217.132.170:443:X1

udp/https

2022-06-14 15:37:51

 

Now I would like the "dst" results to be stripped of :(port number):(interface)or :(interface). In other words, only the IP address should remain

How do I do that within my query in Splunk with for example RegEx (or another method)?

Any tip is welcome, am very new to Splunk.

Labels (4)
Labels
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎06-16-2022 12:22 PM

You can use replace() function to trim everything from the semicolon to the end of the field.

| eval dst=replace(dst,":.*","")

 

View solution in original post

Reply
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎06-16-2022 12:22 PM

You can use replace() function to trim everything from the semicolon to the end of the field.

| eval dst=replace(dst,":.*","")

 

Reply
Solved! Jump to solution

Dolfing
Explorer
‎06-20-2022 01:16 AM

Thank you, this is a simple and effective way that I was looking for. Really appreciate it.

0 Karma
Reply
Solved! Jump to solution

rymundo_splunk
Splunk Employee
Splunk Employee
‎06-16-2022 09:26 AM

Hi, I think you want to use the rex command here.  In my example below, I am taking the leading four octets of src and dst and putting them into new fields named src_after and dst_after.  Everything after the first four octets is ignored.  All of the stuff in |makeresults and |spath is just for me to build up some fake data using what you provided.  The part you want to look at starts with the |rex steps.  I hope this helps.

| makeresults | eval json="{ \"src\":\"10.0.1.5:50492:X2\", \"dst\":\"8.8.8.8:53:X1\" }"
| append [| makeresults | eval json="{ \"src\":\"192.168.1.100:37016:X0\", \"dst\":\"54.81.233.206:443:X1\" }"]
| append [| makeresults | eval json="{ \"src\":\"192.168.1.100:38376:X0\", \"dst\":\"104.244.42.130:443:X1\" }"]
| append [| makeresults | eval json="{ \"src\":\"192.168.1.100:38611:X0\", \"dst\":\"172.217.132.170:443:X1\" }"]
| spath input=json
| rex field=src "^(?<src_after>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"
| rex field=dst "^(?<dst_after>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"
| table src src_after dst dst_after

 

rymundo_splunk_0-1655396722243.png

 

0 Karma
Reply
Solved! Jump to solution

Dolfing
Explorer
‎06-20-2022 01:22 AM

Thank you for your answer. Definitely much appreciated. However, this is not the solution I was looking for because I have to change everything myself or include it in a regex list. However, the examples in my post were only a few lines, but the actual result is thousands of lines.

0 Karma
Reply
Register for .conf25!
Get Updates on the Splunk Community!

Security Professional: Sharpen Your Defenses with These .conf25 Sessions

Sooooooooooo, guess what. .conf25 is almost here, and if you're on the Security Learning Path, this is your ...

First Steps with Splunk SOAR

Our first step was to gather a list of the playbooks we wanted and to sort them by priority.  Once this list ...

How To Build a Self-Service Observability Practice with Splunk Observability Cloud

If you’ve read our previous post on self-service observability, you already know what it is and why it ...
Top