Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk Query - How to create a table from event

pclooi
New Member
‎08-14-2019 03:31 AM

I'm quite new to Splunk and currently am trying to do a simple with Splunk using syslog. I have a firepower syslog which I need to understand how to do a table of the events but unsuccessfully.

My current query is 

sourcetype="syslog"  URL
| rex "^\[(?[^]]+)\]\[(?[^]]+)\]\[(?[^]]+)\] \"(?[^\"]+)\" \[Classification: (?[^]]+)\] \[Priority: (?[^]]+)\] {(?[^}]+)} (?\d+\.\d+\.\d+\.\d+):(?\d+) -\> (?\d+\.\d+\.\d+\.\d+):(?\d+)"
| eval c_time=strftime(_time,"%m/%d/%y %H:%M:%S") 
|table  c_time, src_ip, src_port, dest_ip, dest_port, message, blocked
|rename _time AS "Time", eventtype AS "Event Type", src_port AS "Src Port" , dest_ip AS "Dst" , dest_port AS "Dst Port", ip_proto AS "Protocol", hostname AS "Hostname", message AS "Message", blocked AS "Blocked?", src_ip AS "Src", c_time As "Time"

From the events, I could see
Aug 14 17:47:08 xx.xx.xx.xx Aug 14 09:47:08 firepower SFIMS: Protocol: TCP, SrcIP: xx.xx.xx.xx, OriginalClientIP: ::, DstIP: xx.xx.xx.xx, SrcPort: xxxxx, DstPort: xxx, TCPFlags: 0x0, IngressInterface: CBY-IFW-01/IFW_TRANSIT, EgressInterface: CBY-IFW-01/IFW_OUTSIDE_2, IngressZone: INSIDE_Internet, EgressZone: OUTSIDE_INTERNET_2, Policy: MY_Policy, ConnectType: End, AccessControlRuleName: MY_POLICY, AccessControlRuleAction: Allow, Prefilter Policy: Unknown, UserName: No Authentication Required, Client: SSL client, ApplicationProtocol: HTTPS, WebApplication: Some App, InitiatorPackets: 8, ResponderPackets: 9, InitiatorBytes: 1403, ResponderBytes: 3716, Context: CBY-IFW-01, NAPPolicy: Question Mark, DNSResponseType: No Error, Sinkhole: Unknown, URLCategory: Unknown, URLReputation: Risk unknown, URL: https://this.splunkquery.com

I would like to see a table like the ones below.
time | src_ip | dst_ip | URL

Is it possible? Any help is appreciated.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

mayurr98
Super Champion
‎08-14-2019 09:05 AM

I think this should work too which will extract almost all the fields require :

.. | extract pairdelim="," kvdelim=": " | rex "URL:\s*(?<URL>.*)" 
| table _time SrcIP DstIP URL

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

mayurr98
Super Champion
‎08-14-2019 09:05 AM

I think this should work too which will extract almost all the fields require :

.. | extract pairdelim="," kvdelim=": " | rex "URL:\s*(?<URL>.*)" 
| table _time SrcIP DstIP URL
0 Karma
Reply
Solved! Jump to solution

Sukisen1981
Champion
‎08-14-2019 08:50 AM 
| makeresults 
|  eval payload="Aug 14 17:47:08 xx.xx.xx.xx Aug 14 09:47:08 firepower SFIMS: Protocol: TCP, SrcIP: xx.xx.xx.xx, OriginalClientIP: ::, DstIP: xx.xx.xx.xx, SrcPort: xxxxx, DstPort: xxx, TCPFlags: 0x0, IngressInterface: CBY-IFW-01/IFW_TRANSIT, EgressInterface: CBY-IFW-01/IFW_OUTSIDE_2, IngressZone: INSIDE_Internet, EgressZone: OUTSIDE_INTERNET_2, Policy: MY_Policy, ConnectType: End, AccessControlRuleName: MY_POLICY, AccessControlRuleAction: Allow, Prefilter Policy: Unknown, UserName: No Authentication Required, Client: SSL client, ApplicationProtocol: HTTPS, WebApplication: Some App, InitiatorPackets: 8, ResponderPackets: 9, InitiatorBytes: 1403, ResponderBytes: 3716, Context: CBY-IFW-01, NAPPolicy: Question Mark, DNSResponseType: No Error, Sinkhole: Unknown, URLCategory: Unknown, URLReputation: Risk unknown, URL: https://this.splunkquery.com"; 
|  rex field=payload "SrcIP:(?<src_ip>.*?)," 
| rex field=payload "DstIP:(?<dst_ip>.*?)," 
|  rex field=payload "URL:(?<url>.*)" 
|  table _time,src_ip,dest_ip,url

This is simple, but i think you are stuck at someplace..

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎08-14-2019 06:21 AM

The forum formatter mangled your regex strings. Please edit your question to restore them. Putting SPL and other code-like text inside backticks will preserve formatting.

Despite the damage done to the rex command, we can see it doesn't match your sample event. The regex expects [ as the first character of the event, but there are no brackets anywhere in the data. Likewise, the texts "Classification:" and "Priority:" are sought, but are not in the event. Are you sure you gave us the right sample event?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...