Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Regex in Splunk

hjsabdjahbd
Observer
‎04-08-2019 06:34 AM

Hi, I have the following column:

CVSSv2
CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N

I want to do something like this:

source="scan*" | where C="H" | stats count.

How can I parse this query so I can have only "C" as an variable?
I think it will me something related with regex, but I have no idea how to start.

Can someone help me? Thanks.

Tags (2)
0 Karma
Reply

sduff_splunk
Splunk Employee
Splunk Employee
‎04-08-2019 05:44 PM

A useful regex for CVSS v2 is the following
rex field=_raw "CVSS2#AV:(?<access_vector>\S)/AC:(?<access_complexity>\S)/Au:(?<authentication>\S)/C:(?<confidentiality>\S)/I:(?<integrity>\S)/A:(?<availability>\S)"

so your search should look like

source="scan*" | rex field=CVSSv2 "CVSS2#AV:(?<access_vector>\S)/AC:(?<access_complexity>\S)/Au:(?<authentication>\S)/C:(?<confidentiality>\S)/I:(?<integrity>\S)/A:(?<availability>\S)" | where confidentiality="H"
0 Karma
Reply

woodcock
Esteemed Legend
‎04-08-2019 09:37 AM

Where is C? Where is "H"? Post sample events, a few rows of the csv (including the header), a mockup of desired output and s simple description of the pseduocode to get there. The current question is wholly incomprehensible. Also, use the 101/n010 control to put your code into proper markup.

0 Karma
Reply

somesoni2
Revered Legend
‎04-08-2019 08:32 AM

Could you provide more details on your requirement, possibly with sample expected output and show what you get now vs what you need it to be?

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...