Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Searching for a specific Expression

hurryupfool123
Explorer
‎10-15-2020 10:16 AM

Splunkers I am new to the community and learning the Art of splunk! 

I am searching raw data from a syslog server,  the data that I am pulling usually looks like this.  I post most of the data in case its needed.  but most of the data that's security relevant has been replaced by ficticious characters.   

My focus is the "%ASA-6-106100" within the message log.  I want to be able to pull only the six digits in the string "106100"  So far I was able to develop a few Regular expression but in the process it pulls all the numbers that are place where the the "-6-" belongs.  which takes my data and makes it messy I want to tell splunk to only search data with 6 charactors and that's it. 

index=syslog sourcetype=syslongisamazing "ASA" | rex field=Event_type_code ^(?<Events_code>\. \d\d\d\d\d\d) | table Event_Code_type

This helps but like mentioned is pulls even the middle code withint my data. 

 

Thanks for your help community. 

2020-10-IST10:04:10.339 192.168.264.264|192.168.162.321| MFRTRSyslog0453 <234>Oct 15 2020 08:04:10 xxxx-xxxx0234: %ASA-6-106100: --> access-list xxxx-xxx-xxxx001_access_in permitted tcp xxx-x-xx-xxxxx  1.1.1.1(3454) hit-cnt 1 hit [oxbc660c9] [ox3a234t435a7f]

 

 

Labels (4)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎10-15-2020 10:57 AM

Try this query.

index=syslog sourcetype=syslongisamazing "ASA" | rex field=Event_type_code "-(?<Events_code>\d{6})" | table Event_type_code Events_code
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

hurryupfool123
Explorer
‎10-15-2020 11:35 AM

hey buddy!   thank for taking the time.  unfortunately it has not worked.  the REX is stilling pulling single digit after the %ASA  For some reason I think the first dash fools the system into thinking the first "-6-" count as part of the whole 6 digits I am trying to pull within the data above.   for some reason I need to cancel the first "-" so that it only takes expressions within the second "-" I hope I am making sense. 

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎10-15-2020 11:54 AM

Here's a run-anywhere sample search that works using your example event.  I don't know now you extract the Event_type_code field so perhaps that explains the difference.

| makeresults 
| eval _raw="2020-10-IST10:04:10.339 192.168.264.264|192.168.162.321| MFRTRSyslog0453 <234>Oct 15 2020 08:04:10 xxxx-xxxx0234: %ASA-6-106100: --> access-list xxxx-xxx-xxxx001_access_in permitted tcp xxx-x-xx-xxxxx  1.1.1.1(3454) hit-cnt 1 hit [oxbc660c9] [ox3a234t435a7f]"
| rex "(?<Event_type_code>%ASA[^:]+)"
| rex field=Event_type_code "-(?<Events_code>\d{6})" | table Event_type_code Events_code

 

---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

You might have seen Splunk’s recent announcement about donating the OpenTelemetry Injector to the ...