I currently have a search looking for specific attack_id values. For example:
("attack_id=3040" OR "attack_id=3057" OR "attack_id=3054")
My question is, how could I create a regular expression that could cut this down so that I would only need to enter the test attack_id= once followed by a series of numbers such as 3040 3057 3054 etc and have the search trigger on a combination of attack_id= and one of the numbers.
For those who are familiar, just like egrep in unix.
Hi All,
We want to do a field extraction where we need to eliminate comma from the field value. E.g. we get the log as ......number = 524,361....... and what we need is the number to be extracted as "number = 524361" (the comma is removed in the output). Is there a way to do it using regex may be with some function or something. Or any other way to achieve it. Appreciate your response in advance.
Hi @manish_578,
If you want to clear comma on search you can use replace command like below;
| eval number =replace(number,",","")
Or if you want put this into extractions, you should but below EVAL inside your sourcetype settings;
[your_sourcetype]
EVAL-number = replace(number,",","")
If this reply helps you an upvote is appreciated.
Yes, this is good for search but how to use for field extraction and in regex directly.
Hi,
Could someone please help me to filter this raw fields and extract it from a new field? I just need to gather "DUMP is complete" and convert it to a new field which is dump_status.
Backup Server: 4.165.1.2: Using numzones of 3 for device /sybase//log_archives/ECP_trans_2019-07-19T15_15_01.dmp.
Backup Server: 4.165.1.3: Using archcnt of 1 for device /sybase//log_archives/ECP_trans_2019-07-19T15_15_01.dmp.
Backup Server: 4.165.1.4: Using dbdevcnt of 2 for device /sybase//log_archives/ECP_trans_2019-07-19T15_15_01.dmp.
Backup Server: 4.166.1.4: Using pagesize of 16384 bytes for device /sybase//log_archives/ECP_trans_2019-07-19T15_15_01.dmp.
Backup Server: 4.58.1.1: Database ECP: 34414 kilobytes DUMPED.
Backup Server: 3.43.1.1: Dump phase number 3 completed.
Backup Server: 4.58.1.1: Database ECP: 34436 kilobytes DUMPED.
Backup Server: 3.42.1.1: DUMP is complete (database ECP).
(return status = 0)
completed
Thank you!
When newer version of Splunk you can use:
attack_id IN (1231 1231 23421)
or
attack_id IN (1231,1231,23421)
regex attack_id="30(40|57|54)"
No, you cannot write attack_id = (1231 OR 1231 OR 23421)
.
Have you looked at the regex
command to filter out events?
http://docs.splunk.com/Documentation/Splunk/5.0.5/SearchReference/Regex
OR
For a more static classifictaion, make use of the eventtype feature in Splunk, where you can define this as 'attack_type_a', and then search for eventtype=attack_type_a
Hope this helps,
K
Is it possible to use regex before the first pipe ? I want to filter out the events before hand itself, so that it might increase the performance of the query
Bireswar,
You can add your extraction at props.conf allowing you to use it on your main search before the first pipe, like this.
Lets say you have already extracted a field called "attackers".
index=your_index sourcetype=l33t attackers=* | ...
OK but the "props.conf" is not something convenient.
If I want to filter out all traffic coming from my legit sites :
http://a.b.com OR https://a.b.com OR http://mobile.a.b.com OR https://mobile.a.b.com OR http://a.b.com. OR https://a.b.com. OR http://app1.a.b.com OR https://app1.a.b.com OR http://app2.a.b.com OR https://app2.a.b.com
This is how I currently do ... it would be more efficient to do so with REGEX "in" the filtering of the referer directly (in my case) !
\T,
Perfect. A regex was exactly what I needed. The solution was a search like this:
host="myhost.com" | regex attack_id="3040|3054|3048|32708"
Worked a treat. Thanks