Splunkers I am new to the community and learning the Art of splunk!
I am searching raw data from a syslog server, the data that I am pulling usually looks like this. I post most of the data in case its needed. but most of the data that's security relevant has been replaced by ficticious characters.
My focus is the "%ASA-6-106100" within the message log. I want to be able to pull only the six digits in the string "106100" So far I was able to develop a few Regular expression but in the process it pulls all the numbers that are place where the the "-6-" belongs. which takes my data and makes it messy I want to tell splunk to only search data with 6 charactors and that's it.
index=syslog sourcetype=syslongisamazing "ASA" | rex field=Event_type_code ^(?<Events_code>\. \d\d\d\d\d\d) | table Event_Code_type
This helps but like mentioned is pulls even the middle code withint my data.
Thanks for your help community.
2020-10-IST10:04:10.339 192.168.264.264|192.168.162.321| MFRTRSyslog0453 <234>Oct 15 2020 08:04:10 xxxx-xxxx0234: %ASA-6-106100: --> access-list xxxx-xxx-xxxx001_access_in permitted tcp xxx-x-xx-xxxxx 1.1.1.1(3454) hit-cnt 1 hit [oxbc660c9] [ox3a234t435a7f]
Try this query.
index=syslog sourcetype=syslongisamazing "ASA" | rex field=Event_type_code "-(?<Events_code>\d{6})" | table Event_type_code Events_code
hey buddy! thank for taking the time. unfortunately it has not worked. the REX is stilling pulling single digit after the %ASA For some reason I think the first dash fools the system into thinking the first "-6-" count as part of the whole 6 digits I am trying to pull within the data above. for some reason I need to cancel the first "-" so that it only takes expressions within the second "-" I hope I am making sense.
Here's a run-anywhere sample search that works using your example event. I don't know now you extract the Event_type_code field so perhaps that explains the difference.
| makeresults
| eval _raw="2020-10-IST10:04:10.339 192.168.264.264|192.168.162.321| MFRTRSyslog0453 <234>Oct 15 2020 08:04:10 xxxx-xxxx0234: %ASA-6-106100: --> access-list xxxx-xxx-xxxx001_access_in permitted tcp xxx-x-xx-xxxxx 1.1.1.1(3454) hit-cnt 1 hit [oxbc660c9] [ox3a234t435a7f]"
| rex "(?<Event_type_code>%ASA[^:]+)"
| rex field=Event_type_code "-(?<Events_code>\d{6})" | table Event_type_code Events_code