Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

how to rex field number of infected file for clamav scan report?

cyberportnoc
Explorer
‎07-10-2017 12:52 AM

Jul 10 06:59:22 icopenstack01 clamav[9040]: Infected files: 0
source = /var/log/remote/icopenstack01.log sourcetype = icopenstack-too_small

how to rex field the number after Infected files:

"Infected files:" | rex field=_raw "Infected files: (?\d+.)" | convert timeformat="%Y-%m-%d" ctime(_time) AS date | table source, date, Infected | where date=strftime(now(), "%Y-%m-%d")

i use this query but Infected field is empty

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

cpetterborg
SplunkTrust
SplunkTrust
‎07-10-2017 08:23 AM

You need to name the field you extracted (?P<Infected>\d+):

"Infected files:" | rex field=_raw "Infected files: (?P<Infected>\d+)" | convert timeformat="%Y-%m-%d" ctime(_time) AS date | table source, date, Infected | where date=strftime(now(), "%Y-%m-%d")

View solution in original post

Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎07-10-2017 09:15 AM

I believe an additional dot at the end of your regex (after \d+) is causing your field extractions to fail. Use exact regex given by cpetterborg.

Also, when you post code/search, do remember to (after selecting the code/search) click on 101010 button or press Ctrl+K to format it, else, you'll lose special characters like capturing groups.

0 Karma
Reply
Solved! Jump to solution
Solution

cpetterborg
SplunkTrust
SplunkTrust
‎07-10-2017 08:23 AM

You need to name the field you extracted (?P<Infected>\d+):

"Infected files:" | rex field=_raw "Infected files: (?P<Infected>\d+)" | convert timeformat="%Y-%m-%d" ctime(_time) AS date | table source, date, Infected | where date=strftime(now(), "%Y-%m-%d")
Reply
Solved! Jump to solution

cyberportnoc
Explorer
‎07-11-2017 04:10 AM

"Infected files:" | rex field=_raw "Infected files: (?\d*)" | convert timeformat="%Y-%m-%d" ctime(_time) AS date | table source, date, Infected | where date=strftime(now(), "%Y-%m-%d")

after tried many times, discover d* can solve this

0 Karma
Reply
Get Updates on the Splunk Community!

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...