Re: Regex in Splunk

hjsabdjahbd · ‎04-08-2019

Hi, I have the following column:

CVSSv2
CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N

I want to do something like this:

source="scan*" | where C="H" | stats count.

How can I parse this query so I can have only "C" as an variable?
I think it will me something related with regex, but I have no idea how to start.

Can someone help me? Thanks.

sduff_splunk · ‎04-08-2019

A useful regex for CVSS v2 is the following
rex field=_raw "CVSS2#AV:(?<access_vector>\S)/AC:(?<access_complexity>\S)/Au:(?<authentication>\S)/C:(?<confidentiality>\S)/I:(?<integrity>\S)/A:(?<availability>\S)"

so your search should look like

source="scan*" | rex field=CVSSv2 "CVSS2#AV:(?<access_vector>\S)/AC:(?<access_complexity>\S)/Au:(?<authentication>\S)/C:(?<confidentiality>\S)/I:(?<integrity>\S)/A:(?<availability>\S)" | where confidentiality="H"

woodcock · ‎04-08-2019

Where is C? Where is "H"? Post sample events, a few rows of the csv (including the header), a mockup of desired output and s simple description of the pseduocode to get there. The current question is wholly incomprehensible. Also, use the 101/n010 control to put your code into proper markup.

somesoni2 · ‎04-08-2019

Could you provide more details on your requirement, possibly with sample expected output and show what you get now vs what you need it to be?

Regex in Splunk

Unlock Database Monitoring with Splunk Observability Cloud

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk

Join the Conversation

Regex in Splunk

Unlock Database Monitoring with Splunk Observability Cloud

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk