Splunk Search

What is the problem with Regex field extraction with "OR"

Explorer

Hi everyone,

I have data from Cisco ESA similar to this two examples:

> Feb  6 10:29:56 10.1.1.152 Feb 06 10:29:45 Splunk: Info: MID 6000770 SDR: Consolidated Sender Reputation: Poor, Threat Category: Spam, Suspected Domain(s) : mail1@host.com, mailhost3.com. Youngest Domain Age: 1 year 8 months 15 days for domain: email@domain.com

and

> Feb  6 10:29:56 10.1.1.152 Feb 06 10:29:45 Splunk: Info: MID 6000770 SDR: Consolidated Sender Reputation: Poor, Threat Category: Spam. Youngest Domain Age: 1 year 8 months 15 days for domain: email@domain.com

Sometimes the "Suspected Domain" part is not a part of the data.

I want to add a field extraction for the "Threat Category" value (in this case "Spam") .

Can anyone help me out with this? I tried the field extraction in Splunk, but Splunk can't handle both types (with a , or . after the Category "Spam")

Regards,
Maik

0 Karma
1 Solution

SplunkTrust
SplunkTrust

@MOberschelp ,

UPDATED: to include special chars

"Threat Category:\s(?<Threat_Category>.+?)[,\.]"

Try

"Threat Category:\s(?<Threat_Category>\w+)"

OR

If you want to add . or ,

"Threat Category:\s(?<Threat_Category>\w+)[,\.]"

View solution in original post

SplunkTrust
SplunkTrust

@MOberschelp ,

UPDATED: to include special chars

"Threat Category:\s(?<Threat_Category>.+?)[,\.]"

Try

"Threat Category:\s(?<Threat_Category>\w+)"

OR

If you want to add . or ,

"Threat Category:\s(?<Threat_Category>\w+)[,\.]"

View solution in original post

Explorer

Thanks for the quick reply. This worked fine for my example.
But now I've seen that not all values are detected.

@this example the regex doesn't work:
Feb 6 10:29:56 10.1.1.152 Feb 06 10:29:45 Splunk: Info: MID 6000770 SDR: Consolidated Sender Reputation: Poor, Threat Category: N/A, Suspected Domain(s) : mail1@host.com, mailhost3.com. Youngest Domain Age: 1 year 8 months 15 days for domain: email@domain.com

I think here is the "/" @ "N/A" the problem.
Any hints for this?
Tried my best @ regex101.com but regular expressions are my weakness... 😉

0 Karma

SplunkTrust
SplunkTrust

@MOberschelp ,
I was about to ask you about whether the category is always a string 🙂 . Try

Threat Category:\s(?<Threat_Category>.+?)[,\.]
0 Karma

SplunkTrust
SplunkTrust

Or if you have only "/" in the list of special characters, then below also should work

"Threat Category:\s(?<Threat_Category>[\w\/]+)[,\.]"
0 Karma

Explorer

Great! That just works perfect!
Thank you very much!

0 Karma