Splunk Search

Unable to extract IP Address and Port number with reg

Path Finder

I have an event that I want to extract the IP Address and Port number.

Mar 6 13:59:59 192.168.140.215 %ASA-4-106023: Deny udp src outside:xxx.xxx.xxx.xxx/xxxxx dst inside:xxx.xxx.xxx.xxx/xxxxx by access-group "outsideaccessin" [0x0, 0x0]

The following search works and produces results.
(sourcetype=cisco_asa AND Deny NOT (search)) | rex field=Outside "outside:(?P[^/])(?P[^ ]*?)" | stats count by OutsideIP | sort -count

But this search works but does not produce any results.
(sourcetype=cisco_asa AND Deny NOT (search)) | rex field=Outside "outside:(?P[^/])(?P[^ ]*?)" | stats count by OutsidePort | sort -count

I have tried many variations to extract the OutsidePort with no success. What am I doing wrong?

Thank you
Randy

Tags (2)
0 Karma
1 Solution

SplunkTrust
SplunkTrust

This works for me:

...  | rex "outside:(?<outside_ip>[^/]+)/(?<outside_port>\S+)" | stats count by outside_port

View solution in original post

Engager

I think the only thing you forgot is the "/" between the extraction of "outsideip" and "outsideport", which martin_mueller has in his extraction...

0 Karma

SplunkTrust
SplunkTrust

This works for me:

...  | rex "outside:(?<outside_ip>[^/]+)/(?<outside_port>\S+)" | stats count by outside_port

View solution in original post

Path Finder

I added the missing / between the round brackets to what I had but I still had problems. I kept fiddling with what I had unsuccessfully, but cutting & pasting exactly what you have does the job. Thank you.

0 Karma