Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk Query - How to create a table from event

pclooi
New Member
‎08-14-2019 03:31 AM

I'm quite new to Splunk and currently am trying to do a simple with Splunk using syslog. I have a firepower syslog which I need to understand how to do a table of the events but unsuccessfully.

My current query is 

sourcetype="syslog"  URL
| rex "^\[(?[^]]+)\]\[(?[^]]+)\]\[(?[^]]+)\] \"(?[^\"]+)\" \[Classification: (?[^]]+)\] \[Priority: (?[^]]+)\] {(?[^}]+)} (?\d+\.\d+\.\d+\.\d+):(?\d+) -\> (?\d+\.\d+\.\d+\.\d+):(?\d+)"
| eval c_time=strftime(_time,"%m/%d/%y %H:%M:%S") 
|table  c_time, src_ip, src_port, dest_ip, dest_port, message, blocked
|rename _time AS "Time", eventtype AS "Event Type", src_port AS "Src Port" , dest_ip AS "Dst" , dest_port AS "Dst Port", ip_proto AS "Protocol", hostname AS "Hostname", message AS "Message", blocked AS "Blocked?", src_ip AS "Src", c_time As "Time"

From the events, I could see
Aug 14 17:47:08 xx.xx.xx.xx Aug 14 09:47:08 firepower SFIMS: Protocol: TCP, SrcIP: xx.xx.xx.xx, OriginalClientIP: ::, DstIP: xx.xx.xx.xx, SrcPort: xxxxx, DstPort: xxx, TCPFlags: 0x0, IngressInterface: CBY-IFW-01/IFW_TRANSIT, EgressInterface: CBY-IFW-01/IFW_OUTSIDE_2, IngressZone: INSIDE_Internet, EgressZone: OUTSIDE_INTERNET_2, Policy: MY_Policy, ConnectType: End, AccessControlRuleName: MY_POLICY, AccessControlRuleAction: Allow, Prefilter Policy: Unknown, UserName: No Authentication Required, Client: SSL client, ApplicationProtocol: HTTPS, WebApplication: Some App, InitiatorPackets: 8, ResponderPackets: 9, InitiatorBytes: 1403, ResponderBytes: 3716, Context: CBY-IFW-01, NAPPolicy: Question Mark, DNSResponseType: No Error, Sinkhole: Unknown, URLCategory: Unknown, URLReputation: Risk unknown, URL: https://this.splunkquery.com

I would like to see a table like the ones below.
time | src_ip | dst_ip | URL

Is it possible? Any help is appreciated.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

mayurr98
Super Champion
‎08-14-2019 09:05 AM

I think this should work too which will extract almost all the fields require :

.. | extract pairdelim="," kvdelim=": " | rex "URL:\s*(?<URL>.*)" 
| table _time SrcIP DstIP URL

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

mayurr98
Super Champion
‎08-14-2019 09:05 AM

I think this should work too which will extract almost all the fields require :

.. | extract pairdelim="," kvdelim=": " | rex "URL:\s*(?<URL>.*)" 
| table _time SrcIP DstIP URL
0 Karma
Reply
Solved! Jump to solution

Sukisen1981
Champion
‎08-14-2019 08:50 AM 
| makeresults 
|  eval payload="Aug 14 17:47:08 xx.xx.xx.xx Aug 14 09:47:08 firepower SFIMS: Protocol: TCP, SrcIP: xx.xx.xx.xx, OriginalClientIP: ::, DstIP: xx.xx.xx.xx, SrcPort: xxxxx, DstPort: xxx, TCPFlags: 0x0, IngressInterface: CBY-IFW-01/IFW_TRANSIT, EgressInterface: CBY-IFW-01/IFW_OUTSIDE_2, IngressZone: INSIDE_Internet, EgressZone: OUTSIDE_INTERNET_2, Policy: MY_Policy, ConnectType: End, AccessControlRuleName: MY_POLICY, AccessControlRuleAction: Allow, Prefilter Policy: Unknown, UserName: No Authentication Required, Client: SSL client, ApplicationProtocol: HTTPS, WebApplication: Some App, InitiatorPackets: 8, ResponderPackets: 9, InitiatorBytes: 1403, ResponderBytes: 3716, Context: CBY-IFW-01, NAPPolicy: Question Mark, DNSResponseType: No Error, Sinkhole: Unknown, URLCategory: Unknown, URLReputation: Risk unknown, URL: https://this.splunkquery.com"; 
|  rex field=payload "SrcIP:(?<src_ip>.*?)," 
| rex field=payload "DstIP:(?<dst_ip>.*?)," 
|  rex field=payload "URL:(?<url>.*)" 
|  table _time,src_ip,dest_ip,url

This is simple, but i think you are stuck at someplace..

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎08-14-2019 06:21 AM

The forum formatter mangled your regex strings. Please edit your question to restore them. Putting SPL and other code-like text inside backticks will preserve formatting.

Despite the damage done to the rex command, we can see it doesn't match your sample event. The regex expects [ as the first character of the event, but there are no brackets anywhere in the data. Likewise, the texts "Classification:" and "Priority:" are sought, but are not in the event. Are you sure you gave us the right sample event?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

SOC4Kafka - New Kafka Connector Powered by OpenTelemetry

The new SOC4Kafka connector, built on OpenTelemetry, enables the collection of Kafka messages and forwards ...

Your Voice Matters! Help Us Shape the New Splunk Lantern Experience

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Building Momentum: Splunk Developer Program at .conf25

At Splunk, developers are at the heart of innovation. That’s why this year at .conf25, we officially launched ...