Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk not reflecting correct REGEX Grouping

rgarcia3904
New Member
‎05-10-2013 07:37 AM

I am new to splunk and have been trying to set up my first transforms but I am having some issues. I was hoping to get some help.

Here is the scenario:

Given this data:

Time: 05/09-16:32:33.470574
event_ref: 0
22.1.11.254 -> 17.96.40.171 (portscan) TCP Portsweep
Priority Count: 3
Connection Count: 9
IP Count: 12
Scanned IP Range: 17.158.28.47:204.0.4.104
Port/Proto Count: 9
Port/Proto Range: 80:12350

And this transforms.conf

[snortPSVarious]
REGEX=(?m)(\d+.\d+.\d+.\d+)(\s+)(->\s+)(\d+.\d+.\d+.\d+\s+)(.*\R)
FORMAT=snortps_src_ip::$1 snortps_dir::$3 snortps_dst_ip::$4 snortps_type::$5

Problem: No matter what I try the snortps_type won't return "(portscan) TCP Portsweep".
It actually matches (in Splunk) the rest of the string. Oddly enough, when I test this SAME regex at:

http://gskinner.com/RegExr/

I would attach a screen shot but apparently I don't have enough "karma". 😉

Any thoughts out there?

Best,
-Roberto

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

JSapienza
Contributor
‎05-10-2013 10:53 AM

My bad try this one:

EXTRACT-snortps_type = (?im)\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b\s\-\>\s\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b(?P< snortps_type >.*)Priority

alt text

View solution in original post

Reply
Solved! Jump to solution
Solution

JSapienza
Contributor
‎05-10-2013 10:53 AM

My bad try this one:

EXTRACT-snortps_type = (?im)\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b\s\-\>\s\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b(?P< snortps_type >.*)Priority

alt text

Reply
Solved! Jump to solution

rgarcia3904
New Member
‎05-10-2013 02:10 PM

This works just fine! Thanks!
-Roberto

0 Karma
Reply
Solved! Jump to solution

JSapienza
Contributor
‎05-10-2013 09:18 AM

OK, I am going to assume that you are trying to do a field extraction. All you need is a props.conf with the following:

[snortPS]
EXTRACT-snortps_type = (\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b)(\s\-\>\s)(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b)(?P < snortps_type >.*)

Is this the result you are looking for ?

alt text

0 Karma
Reply
Solved! Jump to solution

rgarcia3904
New Member
‎05-10-2013 09:23 AM

No.
The result I need is for snortps_type to have "(portscan) TCP Portsweep" and nothing more.

Thanks for your help!

Best,
Roberto

0 Karma
Reply
Solved! Jump to solution

JSapienza
Contributor
‎05-10-2013 08:24 AM

Try something like this:

REGEX = (\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b)(\s\-\>\s)(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b)(.*)\
FORMAT = snortps_type::$4

alt text

0 Karma
Reply
Solved! Jump to solution

rgarcia3904
New Member
‎05-10-2013 08:35 AM

Unfortunately that does not work. I get the same results as you do on the test site but when I integrate into Splunk and reload the field still contains the whole of the rest of the string.
Could this be a bug in this version of Splunk?
Thanks for your help.
Best,
Roberto

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...