Splunk Search

how to rex field number of infected file for clamav scan report?

cyberportnoc
Explorer

Jul 10 06:59:22 icopenstack01 clamav[9040]: Infected files: 0
source = /var/log/remote/icopenstack01.log sourcetype = icopenstack-too_small

how to rex field the number after Infected files:

"Infected files:" | rex field=_raw "Infected files: (?\d+.)" | convert timeformat="%Y-%m-%d" ctime(_time) AS date | table source, date, Infected | where date=strftime(now(), "%Y-%m-%d")

i use this query but Infected field is empty

Tags (1)
0 Karma
1 Solution

cpetterborg
SplunkTrust
SplunkTrust

You need to name the field you extracted (?P<Infected>\d+):

"Infected files:" | rex field=_raw "Infected files: (?P<Infected>\d+)" | convert timeformat="%Y-%m-%d" ctime(_time) AS date | table source, date, Infected | where date=strftime(now(), "%Y-%m-%d")

View solution in original post

somesoni2
Revered Legend

I believe an additional dot at the end of your regex (after \d+) is causing your field extractions to fail. Use exact regex given by cpetterborg.

Also, when you post code/search, do remember to (after selecting the code/search) click on 101010 button or press Ctrl+K to format it, else, you'll lose special characters like capturing groups.

0 Karma

cpetterborg
SplunkTrust
SplunkTrust

You need to name the field you extracted (?P<Infected>\d+):

"Infected files:" | rex field=_raw "Infected files: (?P<Infected>\d+)" | convert timeformat="%Y-%m-%d" ctime(_time) AS date | table source, date, Infected | where date=strftime(now(), "%Y-%m-%d")

cyberportnoc
Explorer

"Infected files:" | rex field=_raw "Infected files: (?\d*)" | convert timeformat="%Y-%m-%d" ctime(_time) AS date | table source, date, Infected | where date=strftime(now(), "%Y-%m-%d")

after tried many times, discover d* can solve this

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...