Splunk Search

How to write a query to use regex on the basis of if statement?

Abhineet
Loves-to-Learn Everything

HI, 

I am looking for splunk query to use regex on the basis of if statement.

Query: 

index=jfrog_index "org.artifactory.security.AccessLogger" NOT "127.0.0.1"
| rex field=_raw ".*AccessLogger \[(?<action>[\w\s]+)\].*"|dedup action|search action = "ACCEPTED*" | table action

OUTPUT: 

action

ACCEPTED DOWNLOAD
ACCEPTED LOGIN
ACCEPTED DELETE
ACCEPTED DEPLOY
ACCEPTED UPDATE
ACCEPTED PROPERTY_UPDATED
ACCEPTED CONFIGURATION_CHANGE
ACCEPTED BUILD_CREATE
 

 

i want to use separate regex on the basis of action value with if condition so event matches with action mentioned above apply particular regex and filter out the information.

As on the basis of action event format is different.

for example:

if (action = "ACCEPTED DOWNLOAD",<regex1>)

if(action = "ACCEPTED LOGIN", <regex2>)

regex1 = .*[\s]+\d+ (?<time>[\d:]+) (?<HOST>[\w\d]+) \[(?<date>[\d-]+)T.*\].*AccessLogger \[.*\] (?<repo>[\w-]+):(?<package>.*) for client : (?<user>[\_\w\-\d]+) \/ (?<userIp>.*)\.

Provide me Splunk query for above example to extract information for different format event for different action type.

Thanks

Abhineet Kumar

 

Labels (1)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Abhineet,

make the two regex extractions and then the if condition, something like this:

| rex ".*[\s]+\d+ (?<time1>[\d:]+) (?<HOST1>[\w\d]+) \[(?<date1>[\d-]+)T.*\].*AccessLogger \[.*\] (?<repo1>[\w-]+):(?<package1>.*) for client : (?<user1>[\_\w\-\d]+) \/ (?<userIp1>.*)\."
| rex ".*[\s]+\d+ (?<time2>[\d:]+) (?<HOST2>[\w\d]+) \[(?<date2>[\d-]+)T.*\].*AccessLogger \[.*\] (?<repo2>[\w-]+):(?<package2>.*) for client : (?<user2>[\_\w\-\d]+) \/ (?<userIp2>.*)\."
| eval 
   time=if(action="ACCEPTED DOWNLOAD",time1,time2),
   HOST=if(action="ACCEPTED DOWNLOAD",HOST1,HOST2),
   ...

 you didn't shared regex 2, so I used the same regex to display the approach.

Ciao.

Giuseppe

0 Karma

Abhineet
Loves-to-Learn Everything

HI @gcusello !

For all "action" we have separate regex, we want to use regex inside if condition on the basis of "action" matched.

so that it extract information from event that belongs to particular "action".

for example:

if (action = "ACCEPTED UPDATE", <apply regex3 to events matches with action)

if condition satisfied  for event apply regex on that event, if not satisfied for event nothing to do.

Thanks

Abhineet  

Tags (1)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Abhineet ,

as @inventsekar said, it isn't possible to insert a regex in an if statement, the only approach is the one I described, or the solution from @inventsekar .

Ciao.

Giuseppe

0 Karma

inventsekar
SplunkTrust
SplunkTrust

Hi @Abhineet .. running rex inside if condition looks like not possible.. but you can do like.. run two rex and then use the if condition to select your fields. (I just copy paste gcusello's SPL, adding ur base query)

pls update your rex2 and then whats your if condition requirement, then we can edit this SPL to match your requirement.

index=jfrog_index "org.artifactory.security.AccessLogger" NOT "127.0.0.1"
| rex field=_raw ".*AccessLogger \[(?<action>[\w\s]+)\].*"|dedup action|search action = "ACCEPTED*" 
| rex ".*[\s]+\d+ (?<time1>[\d:]+) (?<HOST1>[\w\d]+) \[(?<date1>[\d-]+)T.*\].*AccessLogger \[.*\] (?<repo1>[\w-]+):(?<package1>.*) for client : (?<user1>[\_\w\-\d]+) \/ (?<userIp1>.*)\."
| rex ".*[\s]+\d+ (?<time2>[\d:]+) (?<HOST2>[\w\d]+) \[(?<date2>[\d-]+)T.*\].*AccessLogger \[.*\] (?<repo2>[\w-]+):(?<package2>.*) for client : (?<user2>[\_\w\-\d]+) \/ (?<userIp2>.*)\."
| eval 
   time=if(action="ACCEPTED DOWNLOAD",time1,time2),
   HOST=if(action="ACCEPTED DOWNLOAD",HOST1,HOST2),

  

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...

Edge Processor Scaling, Energy & Manufacturing Use Cases, and More New Articles on ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Get More Out of Your Security Practice With a SIEM

Get More Out of Your Security Practice With a SIEMWednesday, July 31, 2024  |  11AM PT / 2PM ETREGISTER ...