Splunk Search

help me in writing Regex for the below data

vikram1583
Explorer

<37>Aug 27 10:52:59 DC1TPSMS02 CEF:0|TippingPoint|UnityOne|1.0.0.17|7611|Suspicious Country Blacklist|1|app=IP cnt=1 dst=192.54.112.30 dpt=53 act=Block cn1=0 cn1Label=VLAN ID cn2=33554431 cn2Label=Taxonomy cn3=0

from above data i want to extract below line

Aug 27 10:52:59 DC1TPSMS02 CEF:0|TippingPoint

Tags (1)
0 Karma
1 Solution

Sukisen1981
Champion

hi @vikram1583
Please see below screen shot from my and @jpolvino 's rexes, see the author field in first query and extract field in the second query.
Where are you checking for the these fields after you run your rex?Please hardcode first n confirm that the author or extract filed output is what you need

alt text

View solution in original post

vikram1583
Explorer

Data coming from cloud through heavy forwarder

0 Karma

vikram1583
Explorer

Yes this is working can you send me props to validate this data before coming to indexer I want that line to come as an event

0 Karma

Sukisen1981
Champion

hi @vikram1583
Please see below screen shot from my and @jpolvino 's rexes, see the author field in first query and extract field in the second query.
Where are you checking for the these fields after you run your rex?Please hardcode first n confirm that the author or extract filed output is what you need

alt text

jpolvino
Builder

Assuming it is always in the same position, this may work for you:

(your search)
| rex "(?<extract>.*)(\|.*?){6}"

Or

(your search)
| rex "(?<extract>(([^|]+)\|)\w+)"
0 Karma

vikram1583
Explorer

This is also not working

0 Karma

jpolvino
Builder

Then we need more detail please. You have 2 responses with confirmed working results. Is your event in a field, or is it _raw?

0 Karma

Sukisen1981
Champion

@jpolvino your rex is getting corrupted while pasting as a comment, it works for the answer you gave though, I think vikram has copied rex from your comments as it is and is getting rex errors

0 Karma

jpolvino
Builder

Yes, I see corrupted values. @vikram1583 please type a solution in manually.

0 Karma

Sukisen1981
Champion

hi @vikram1583
your initial query is index=email (host=10.114.5. OR host=10.124.5.) NOT default tippingpoint | rex whatever...
Remove the rex and first see whether you are receiving the event on which you want to apply rex. 2 possible issue - the earliest time range is excluding those events and I am also not ok with the NOT condition, if you mean to exclude default tippongpoint use it like this
index=email (host=10.114.5. OR host=10.124.5.) NOT ("default tippingpoint")
You might get nothing returned but you will not get a splunk syntax error on using the rexes, so when you say not working - what is not wokring?

@jpolvino - I think we need to ensure first that the source event is properly captured, rex is working but failing because of that. It is very late at night here, i will look into this again tomorrow in case this is still an issue

0 Karma

vikram1583
Explorer

@jpolvino | rex "(?.)(|.?){6}" while i am using this rex i am not getting any error, it is not changing anything in the event it remains the same

0 Karma

vikram1583
Explorer

@Sukisen1981 same thing with your rex i am not getting any error but results did not change same event is coming

0 Karma

vikram1583
Explorer

not working

0 Karma

jpolvino
Builder

Odd, they work for me. Is the event you posted accurate, even the pipe characters? Borrowing SPL from Sukisen1981:

| makeresults
| eval x="Aug 27 10:52:59 DC1TPSMS02 CEF:0|TippingPoint|UnityOne|1.0.0.17|7611|Suspicious Country Blacklist|1|app=IP cnt=1 dst=192.54.112.30 dpt=53 act=Block cn1=0 cn1Label=VLAN ID cn2=33554431 cn2Label=Taxonomy cn3=0"
| rex field=x "(?.)(|.?){6}"
| table extract

Produces:
Aug 27 10:52:59 DC1TPSMS02 CEF:0|TippingPoint

So does the other example. I'm curious what you get!

0 Karma

vikram1583
Explorer

<37>Aug 27 11:57:42 DC1TPSMS02 CEF:0|TippingPoint|UnityOne|1.0.0.17|7610|Blacklist|1|app=IP cnt=1 dst=208.87.176.250 dpt=389 act=Block cn1=613 cn1Label=VLAN ID cn2=33554431 cn2Label=Taxonomy cn3=0 cn3Label=Packet Trace cs1=CDE Perimeter Outbound cs1Label=Profile Name cs2=b005e16a-02dd-493c-a525-ba7c10c3e66c cs2Label=Policy UUID cs3=00000001-0001-0001-0001-000000007610 cs3Label=Signature UUID cs4=1 cs4Label=DeviceSegment cs5= cs5Label=SMS Name dvchost=DC1-IPS-04 cs6=185.94.111.1 cs6Label=Filter Message Parms srcip=185.94.111.1 spt=45138 externalId=115756483 rt=1566932262858 cat=Reputation proto=IP deviceInboundInterface=26 c6a2= c6a2Label=Source IPv6 c6a3= c6a3Label=Destination IPv6 request= requestMethod= dhost= sourceTranslatedAddress=185.94.111.1 c6a1= c6a1Label=Client IPv6 suser= sntdom= duser= dntdom=
host = 10.114.5.250 source = tcp:514 sourcetype = cisco:esa:legacy

This is the actual event

My search: index=email earliest=-10m (host=10.114.5.* OR host=10.124.5.*) NOT default tippingpoint | rex "(?(([^|]+)|)\w+)"

0 Karma

vikram1583
Explorer

<37>Aug 27 12:04:17 DC1TPSMS02 CEF:0|TippingPoint|UnityOne|1.0.0.17|7610|Blacklist|1|app=IP cnt=1 dst=208.87.176.47 dpt=8089 act=Block cn1=613 cn1Label=VLAN ID cn2=33554431 cn2Label=Taxonomy cn3=0 cn3Label=Packet Trace cs1=CDE Perimeter Outbound cs1Label=Profile Name cs2=b005e16a-02dd-493c-a525-ba7c10c3e66c cs2Label=Policy UUID cs3=00000001-0001-0001-0001-000000007610 cs3Label=Signature UUID cs4=1 cs4Label=DeviceSegment cs5= cs5Label=SMS Name dvchost=DC1-IPS-04 cs6=185.216.140.16 cs6Label=Filter Message Parms srcip=185.216.140.16 spt=52075 externalId=115757480 rt=1566932657158 cat=Reputation proto=IP deviceInboundInterface=26 c6a2= c6a2Label=Source IPv6 c6a3= c6a3Label=Destination IPv6 request= requestMethod= dhost= sourceTranslatedAddress=185.216.140.16 c6a1= c6a1Label=Client IPv6 suser= sntdom= duser= dntdom=

0 Karma

jpolvino
Builder

Try putting this in your rex double quotes:
(?.)(|.?){6}

Do you get a Splunk error?

Try formatting your search like this:
index=email (host=10.114.5. OR host=10.124.5.) NOT default tippingpoint earliest=-10m | rex "(?.)(|.?){6}"

0 Karma

vikram1583
Explorer

index=email (host=10.114.5. OR host=10.124.5.) NOT default tippingpoint earliest=-10m | rex "(?.)(|.?){6}"

I am getting this error

Error in 'rex' command: Encountered the following error while compiling the regex '(?.)(|.?){6}': Regex: unrecognized character after (? or (?-.

0 Karma

Sukisen1981
Champion
|  rex field=_raw "(?<author>.*)\|+UnityOne"

or

    | makeresults 
    |  eval x="Aug 27 10:52:59 DC1TPSMS02 CEF:0|TippingPoint|UnityOne|1.0.0.17|7611|Suspicious Country Blacklist|1|app=IP cnt=1 dst=192.54.112.30 dpt=53 act=Block cn1=0 cn1Label=VLAN ID cn2=33554431 cn2Label=Taxonomy cn3=0" 
    |  rex field=x "(?<author>.*)\|+UnityOne"

vikram1583
Explorer

| rex field=x "(?.*)|+UnityOne" This Rex is working

i want to validate it before coming to the indexer want to write props for this can you please send me props Please

0 Karma

vikram1583
Explorer

Not working

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...