Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Regex in Splunk

hjsabdjahbd
Observer
‎04-08-2019 06:34 AM

Hi, I have the following column:

CVSSv2
CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N

I want to do something like this:

source="scan*" | where C="H" | stats count.

How can I parse this query so I can have only "C" as an variable?
I think it will me something related with regex, but I have no idea how to start.

Can someone help me? Thanks.

Tags (2)
0 Karma
Reply

sduff_splunk
Splunk Employee
Splunk Employee
‎04-08-2019 05:44 PM

A useful regex for CVSS v2 is the following
rex field=_raw "CVSS2#AV:(?<access_vector>\S)/AC:(?<access_complexity>\S)/Au:(?<authentication>\S)/C:(?<confidentiality>\S)/I:(?<integrity>\S)/A:(?<availability>\S)"

so your search should look like

source="scan*" | rex field=CVSSv2 "CVSS2#AV:(?<access_vector>\S)/AC:(?<access_complexity>\S)/Au:(?<authentication>\S)/C:(?<confidentiality>\S)/I:(?<integrity>\S)/A:(?<availability>\S)" | where confidentiality="H"
0 Karma
Reply

woodcock
Esteemed Legend
‎04-08-2019 09:37 AM

Where is C? Where is "H"? Post sample events, a few rows of the csv (including the header), a mockup of desired output and s simple description of the pseduocode to get there. The current question is wholly incomprehensible. Also, use the 101/n010 control to put your code into proper markup.

0 Karma
Reply

somesoni2
Revered Legend
‎04-08-2019 08:32 AM

Could you provide more details on your requirement, possibly with sample expected output and show what you get now vs what you need it to be?

0 Karma
Reply
Get Updates on the Splunk Community!

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

You might have seen Splunk’s recent announcement about donating the OpenTelemetry Injector to the ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...