Splunk Search

Regular Expression in Search

balcv
Contributor

I currently have a search looking for specific attack_id values. For example:

("attack_id=3040" OR "attack_id=3057" OR "attack_id=3054")

My question is, how could I create a regular expression that could cut this down so that I would only need to enter the test attack_id= once followed by a series of numbers such as 3040 3057 3054 etc and have the search trigger on a combination of attack_id= and one of the numbers.

For those who are familiar, just like egrep in unix.

manish_578
Loves-to-Learn

Hi All,
We want to do a field extraction where we need to eliminate comma from the field value. E.g. we get the log as ......number = 524,361....... and what we need is the number to be extracted as "number = 524361" (the comma is removed in the output). Is there a way to do it using regex may be with some function or something. Or any other way to achieve it. Appreciate your response in advance.

0 Karma

scelikok
Champion

Hi @manish_578,

If you want to clear comma on search you can use replace command like below;

| eval number =replace(number,",","")

Or if you want  put this into extractions, you should but below EVAL inside your sourcetype settings;

[your_sourcetype]
EVAL-number = replace(number,",","")

 

If this reply helps you an upvote is appreciated.

If this reply helps you an upvote is appreciated.
0 Karma

manish_578
Loves-to-Learn

Yes, this is good for search but how to use for field extraction and in regex directly. 

0 Karma

kevinalzaga
Observer

Hi,

Could someone please help me to filter this raw fields and extract it from a new field? I just need to gather "DUMP is complete" and convert it to a new field which is dump_status.

Backup Server: 4.165.1.2: Using numzones of 3 for device /sybase//log_archives/ECP_trans_2019-07-19T15_15_01.dmp.
Backup Server: 4.165.1.3: Using archcnt of 1 for device /sybase//log_archives/ECP_trans_2019-07-19T15_15_01.dmp.
Backup Server: 4.165.1.4: Using dbdevcnt of 2 for device /sybase//log_archives/ECP_trans_2019-07-19T15_15_01.dmp.
Backup Server: 4.166.1.4: Using pagesize of 16384 bytes for device /sybase//log_archives/ECP_trans_2019-07-19T15_15_01.dmp.
Backup Server: 4.58.1.1: Database ECP: 34414 kilobytes DUMPED.
Backup Server: 3.43.1.1: Dump phase number 3 completed.
Backup Server: 4.58.1.1: Database ECP: 34436 kilobytes DUMPED.
Backup Server: 3.42.1.1: DUMP is complete (database ECP).
(return status = 0)
completed

Thank you!

0 Karma

lakromani
Builder

When newer version of Splunk you can use:

attack_id IN (1231 1231 23421)

or

attack_id IN (1231,1231,23421)

ovetjornhed
Engager

regex attack_id="30(40|57|54)"

kristian_kolb
Ultra Champion

No, you cannot write attack_id = (1231 OR 1231 OR 23421).

Have you looked at the regex command to filter out events?

http://docs.splunk.com/Documentation/Splunk/5.0.5/SearchReference/Regex

OR

For a more static classifictaion, make use of the eventtype feature in Splunk, where you can define this as 'attack_type_a', and then search for eventtype=attack_type_a

Hope this helps,

K

Bireswar
New Member

Is it possible to use regex before the first pipe ? I want to filter out the events before hand itself, so that it might increase the performance of the query

0 Karma

alemarzu
Motivator

Bireswar,

You can add your extraction at props.conf allowing you to use it on your main search before the first pipe, like this.

Lets say you have already extracted a field called "attackers".

index=your_index sourcetype=l33t attackers=* | ...
0 Karma

tsmets
Engager

OK but the "props.conf" is not something convenient.
If I want to filter out all traffic coming from my legit sites :

http://a.b.com OR https://a.b.com OR http://mobile.a.b.com OR https://mobile.a.b.com OR http://a.b.com. OR https://a.b.com. OR http://app1.a.b.com OR https://app1.a.b.com OR http://app2.a.b.com OR https://app2.a.b.com

This is how I currently do ... it would be more efficient to do so with REGEX "in" the filtering of the referer directly (in my case) !

\T,

0 Karma

balcv
Contributor

Perfect. A regex was exactly what I needed. The solution was a search like this:

host="myhost.com" | regex attack_id="3040|3054|3048|32708"

Worked a treat. Thanks