Splunk Search

Searching for a specific Expression

hurryupfool123
Explorer

Splunkers I am new to the community and learning the Art of splunk! 

I am searching raw data from a syslog server,  the data that I am pulling usually looks like this.  I post most of the data in case its needed.  but most of the data that's security relevant has been replaced by ficticious characters.   

My focus is the "%ASA-6-106100" within the message log.  I want to be able to pull only the six digits in the string "106100"  So far I was able to develop a few Regular expression but in the process it pulls all the numbers that are place where the the "-6-" belongs.  which takes my data and makes it messy I want to tell splunk to only search data with 6 charactors and that's it. 

index=syslog sourcetype=syslongisamazing "ASA" | rex field=Event_type_code ^(?<Events_code>\. \d\d\d\d\d\d) | table Event_Code_type

This helps but like mentioned is pulls even the middle code withint my data. 

 

Thanks for your help community. 

2020-10-IST10:04:10.339 192.168.264.264|192.168.162.321| MFRTRSyslog0453 <234>Oct 15 2020 08:04:10 xxxx-xxxx0234: %ASA-6-106100: --> access-list xxxx-xxx-xxxx001_access_in permitted tcp xxx-x-xx-xxxxx  1.1.1.1(3454) hit-cnt 1 hit [oxbc660c9] [ox3a234t435a7f]

 

 

Labels (4)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Try this query.

index=syslog sourcetype=syslongisamazing "ASA" | rex field=Event_type_code "-(?<Events_code>\d{6})" | table Event_type_code Events_code
---
If this reply helps you, Karma would be appreciated.
0 Karma

hurryupfool123
Explorer

hey buddy!   thank for taking the time.  unfortunately it has not worked.  the REX is stilling pulling single digit after the %ASA  For some reason I think the first dash fools the system into thinking the first "-6-" count as part of the whole 6 digits I am trying to pull within the data above.   for some reason I need to cancel the first "-" so that it only takes expressions within the second "-" I hope I am making sense. 

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Here's a run-anywhere sample search that works using your example event.  I don't know now you extract the Event_type_code field so perhaps that explains the difference.

| makeresults 
| eval _raw="2020-10-IST10:04:10.339 192.168.264.264|192.168.162.321| MFRTRSyslog0453 <234>Oct 15 2020 08:04:10 xxxx-xxxx0234: %ASA-6-106100: --> access-list xxxx-xxx-xxxx001_access_in permitted tcp xxx-x-xx-xxxxx  1.1.1.1(3454) hit-cnt 1 hit [oxbc660c9] [ox3a234t435a7f]"
| rex "(?<Event_type_code>%ASA[^:]+)"
| rex field=Event_type_code "-(?<Events_code>\d{6})" | table Event_type_code Events_code

 

---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

Splunk Observability Cloud's AI Assistant in Action Series: Auditing Compliance and ...

This is the third post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...