Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- What is the problem with Regex field extraction wi...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi everyone,
I have data from Cisco ESA similar to this two examples:
> Feb 6 10:29:56 10.1.1.152 Feb 06 10:29:45 Splunk: Info: MID 6000770 SDR: Consolidated Sender Reputation: Poor, Threat Category: Spam, Suspected Domain(s) : mail1@host.com, mailhost3.com. Youngest Domain Age: 1 year 8 months 15 days for domain: email@domain.com
and
> Feb 6 10:29:56 10.1.1.152 Feb 06 10:29:45 Splunk: Info: MID 6000770 SDR: Consolidated Sender Reputation: Poor, Threat Category: Spam. Youngest Domain Age: 1 year 8 months 15 days for domain: email@domain.com
Sometimes the "Suspected Domain" part is not a part of the data.
I want to add a field extraction for the "Threat Category" value (in this case "Spam") .
Can anyone help me out with this? I tried the field extraction in Splunk, but Splunk can't handle both types (with a , or . after the Category "Spam")
Regards,
Maik
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@MOberschelp ,
UPDATED: to include special chars
"Threat Category:\s(?<Threat_Category>.+?)[,\.]"
Try
"Threat Category:\s(?<Threat_Category>\w+)"
OR
If you want to add . or ,
"Threat Category:\s(?<Threat_Category>\w+)[,\.]"
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@MOberschelp ,
UPDATED: to include special chars
"Threat Category:\s(?<Threat_Category>.+?)[,\.]"
Try
"Threat Category:\s(?<Threat_Category>\w+)"
OR
If you want to add . or ,
"Threat Category:\s(?<Threat_Category>\w+)[,\.]"
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the quick reply. This worked fine for my example.
But now I've seen that not all values are detected.
@this example the regex doesn't work:
Feb 6 10:29:56 10.1.1.152 Feb 06 10:29:45 Splunk: Info: MID 6000770 SDR: Consolidated Sender Reputation: Poor, Threat Category: N/A, Suspected Domain(s) : mail1@host.com, mailhost3.com. Youngest Domain Age: 1 year 8 months 15 days for domain: email@domain.com
I think here is the "/" @ "N/A" the problem.
Any hints for this?
Tried my best @ regex101.com but regular expressions are my weakness... 😉
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@MOberschelp ,
I was about to ask you about whether the category is always a string 🙂 . Try
Threat Category:\s(?<Threat_Category>.+?)[,\.]
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Or if you have only "/" in the list of special characters, then below also should work
"Threat Category:\s(?<Threat_Category>[\w\/]+)[,\.]"
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Great! That just works perfect!
Thank you very much!
Calling All Security Pros: Ready to Race Through Boston?
Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...
Customer success is front and center at .conf25
