I currently have a search looking for specific attack_id values. For example:
("attack_id=3040" OR "attack_id=3057" OR "attack_id=3054")
My question is, how could I create a regular expression that could cut this down so that I would only need to enter the test attack_id= once followed by a series of numbers such as 3040 3057 3054 etc and have the search trigger on a combination of attack_id= and one of the numbers.
For those who are familiar, just like egrep in unix.
We want to do a field extraction where we need to eliminate comma from the field value. E.g. we get the log as ......number = 524,361....... and what we need is the number to be extracted as "number = 524361" (the comma is removed in the output). Is there a way to do it using regex may be with some function or something. Or any other way to achieve it. Appreciate your response in advance.
If you want to clear comma on search you can use replace command like below;
| eval number =replace(number,",","")
Or if you want put this into extractions, you should but below EVAL inside your sourcetype settings;
[your_sourcetype] EVAL-number = replace(number,",","")
If this reply helps you an upvote is appreciated.
Could someone please help me to filter this raw fields and extract it from a new field? I just need to gather "DUMP is complete" and convert it to a new field which is dump_status.
Backup Server: 184.108.40.206: Using numzones of 3 for device /sybase//log_archives/ECP_trans_2019-07-19T15_15_01.dmp.
Backup Server: 220.127.116.11: Using archcnt of 1 for device /sybase//log_archives/ECP_trans_2019-07-19T15_15_01.dmp.
Backup Server: 18.104.22.168: Using dbdevcnt of 2 for device /sybase//log_archives/ECP_trans_2019-07-19T15_15_01.dmp.
Backup Server: 22.214.171.124: Using pagesize of 16384 bytes for device /sybase//log_archives/ECP_trans_2019-07-19T15_15_01.dmp.
Backup Server: 126.96.36.199: Database ECP: 34414 kilobytes DUMPED.
Backup Server: 188.8.131.52: Dump phase number 3 completed.
Backup Server: 184.108.40.206: Database ECP: 34436 kilobytes DUMPED.
Backup Server: 220.127.116.11: DUMP is complete (database ECP).
(return status = 0)
No, you cannot write
attack_id = (1231 OR 1231 OR 23421).
Have you looked at the
regex command to filter out events?
For a more static classifictaion, make use of the eventtype feature in Splunk, where you can define this as 'attack_type_a', and then search for eventtype=attack_type_a
Hope this helps,
You can add your extraction at props.conf allowing you to use it on your main search before the first pipe, like this.
Lets say you have already extracted a field called "attackers".
index=your_index sourcetype=l33t attackers=* | ...
OK but the "props.conf" is not something convenient.
If I want to filter out all traffic coming from my legit sites :
http://a.b.com OR https://a.b.com OR http://mobile.a.b.com OR https://mobile.a.b.com OR http://a.b.com. OR https://a.b.com. OR http://app1.a.b.com OR https://app1.a.b.com OR http://app2.a.b.com OR https://app2.a.b.com
This is how I currently do ... it would be more efficient to do so with REGEX "in" the filtering of the referer directly (in my case) !