Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

REX issue, quite an interesting one, potential bug?

mrgibbon
Contributor
‎11-17-2016 05:11 PM

Just wondering if anyone has ever seen this before?

This is the data I’m extracting from:

"Classic,Audit Failure",11/14/2016 9:32:27 AM,AD FS Auditing,516,-3,"The following user account has been locked out due to too many bad password attempts. Additional Data Activity ID: 00000000-0000-0000-0000-000000000000 User: sausages\Abel.Caine Client IP: 103.1.1.1,10.1.1.1 nBad Password Count: 4 nLast Bad Password Attempt: 11/14/2016"

I’m trying to extract the bad password count.
By all means, this should work:
| rex "Password Count: (?P[^ \n]+)"

But it appears that Splunk sees the string ‘Count’ as a command, not just a string.
I get the total ‘count’ of those fields it finds.

alt text

I’ve tried escaping it, using “\s{1}\w{6}” and a load of others things.

Seen this before?

Preview file
1 KB
0 Karma
Reply

woodcock
Esteemed Legend
‎03-24-2017 11:55 PM

This works fine:

... | rex "Password Count:\s*(?<Count>\d+)"
0 Karma
Reply

MuS
Legend
‎11-17-2016 05:59 PM

Hi mrgibbon 😉

works like a charm on Splunk 6.5.0:

| gentimes start=-1 
| eval gibbon="\"Classic,Audit Failure\",11/14/2016 9:32:27 AM,AD FS Auditing,516,-3,\"The following user account has been locked out due to too many bad password attempts. Additional Data Activity ID: 00000000-0000-0000-0000-000000000000 User: sausages\Abel.Caine Client IP: 103.1.1.1,10.1.1.1 nBad Password Count: 4 nLast Bad Password Attempt: 11/14/2016\"" 
| rex field=gibbon "Password Count: (?P<count>[^ \n]+)" 
| table count

Here is the result:
alt text

Can you please add the complete search you are running?

cheers, MuS

Preview file
1 KB
0 Karma
Reply

mrgibbon
Contributor
‎11-17-2016 06:30 PM

Hmm, Im using 6.5.0.
Might be something quirky in the way the event is ingested, its only ADFS logs though, fairly std.

index=adfs "Event ID"=403 OR "Event ID"=516 NOT "Audit Success" 
| rex "blah.internal\\\(?P[^ \n]+)" 
| rex "Activity ID: (?P[^\n \"]+)"
| rex "((\\d{1,3}\.\\d{1,3}\.\\d{1,3}\.\\d{1,3}).+?(?P\\d{1,3}\.\\d{1,3}\.\\d{1,3}\.\\d{1,3}))"
| rex "nBad Password\s{1}\w{5}\:\s(?P[^ \n]+)" 
| rex "nLast Bad Password Attempt: (?P[^\"]+)"

This is just one variation I have tried, of course I have tried the most basic one I listed first.

0 Karma
Reply

wrangler2x
Motivator
‎11-18-2016 01:32 PM

Why the \n? Seems to me you only need [^ ]+

0 Karma
Reply

mrgibbon
Contributor
‎11-20-2016 08:00 PM

I added it in as when I view the event that number is actually below the leading text, like this:
nBad Password Count:
4

So I added it in to cope with that, but if you copy out the event its directly following the colon and a space. I have tried without it, still the same result.
Thanks

0 Karma
Reply

mrgibbon
Contributor
‎11-20-2016 08:03 PM

Also, I want the value of the field, not the count of those fields.

0 Karma
Reply

MuS
Legend
‎11-20-2016 09:22 PM

Hi mrgibbon, you know how to reach me - Can you send some sample data and the search and I will have a look at it 😉 Cheers, MuS

0 Karma
Reply

MuS
Legend
‎11-17-2016 06:34 PM

Can you use the code function so the named capturing groups are still in the search, please? 🙂

0 Karma
Reply
Get Updates on the Splunk Community!

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...