Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Searching for a specific Expression

hurryupfool123
Explorer
‎10-15-2020 10:16 AM

Splunkers I am new to the community and learning the Art of splunk! 

I am searching raw data from a syslog server,  the data that I am pulling usually looks like this.  I post most of the data in case its needed.  but most of the data that's security relevant has been replaced by ficticious characters.   

My focus is the "%ASA-6-106100" within the message log.  I want to be able to pull only the six digits in the string "106100"  So far I was able to develop a few Regular expression but in the process it pulls all the numbers that are place where the the "-6-" belongs.  which takes my data and makes it messy I want to tell splunk to only search data with 6 charactors and that's it. 

index=syslog sourcetype=syslongisamazing "ASA" | rex field=Event_type_code ^(?<Events_code>\. \d\d\d\d\d\d) | table Event_Code_type

This helps but like mentioned is pulls even the middle code withint my data. 

 

Thanks for your help community. 

2020-10-IST10:04:10.339 192.168.264.264|192.168.162.321| MFRTRSyslog0453 <234>Oct 15 2020 08:04:10 xxxx-xxxx0234: %ASA-6-106100: --> access-list xxxx-xxx-xxxx001_access_in permitted tcp xxx-x-xx-xxxxx  1.1.1.1(3454) hit-cnt 1 hit [oxbc660c9] [ox3a234t435a7f]

 

 

Labels (4)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎10-15-2020 10:57 AM

Try this query.

index=syslog sourcetype=syslongisamazing "ASA" | rex field=Event_type_code "-(?<Events_code>\d{6})" | table Event_type_code Events_code
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

hurryupfool123
Explorer
‎10-15-2020 11:35 AM

hey buddy!   thank for taking the time.  unfortunately it has not worked.  the REX is stilling pulling single digit after the %ASA  For some reason I think the first dash fools the system into thinking the first "-6-" count as part of the whole 6 digits I am trying to pull within the data above.   for some reason I need to cancel the first "-" so that it only takes expressions within the second "-" I hope I am making sense. 

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎10-15-2020 11:54 AM

Here's a run-anywhere sample search that works using your example event.  I don't know now you extract the Event_type_code field so perhaps that explains the difference.

| makeresults 
| eval _raw="2020-10-IST10:04:10.339 192.168.264.264|192.168.162.321| MFRTRSyslog0453 <234>Oct 15 2020 08:04:10 xxxx-xxxx0234: %ASA-6-106100: --> access-list xxxx-xxx-xxxx001_access_in permitted tcp xxx-x-xx-xxxxx  1.1.1.1(3454) hit-cnt 1 hit [oxbc660c9] [ox3a234t435a7f]"
| rex "(?<Event_type_code>%ASA[^:]+)"
| rex field=Event_type_code "-(?<Events_code>\d{6})" | table Event_type_code Events_code

 

---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...