Splunk Search

rex syntax for extracting value from a set of match criteria

RNB
Path Finder

I am wanting to create a rex that will have a list of text that is to be matched, but the matched value is what needs to be extracted. It may end up as an EXTRACT in props.conf, but that is not my immediate concern. I am looking for the rex syntax that might look like this, but produce the results identified in the Expected result line below the sample rex. Sample data is below the rex.

%ASA | rex "tcp|udp|icmp" | stats count by Protocol
Expected result from line 1 of Sample data: Protocol=TCP

%ASA | rex "Built|Teardown|Deny|denied" | stats count by Action
Expected result from line 1 of Sample data: Teardown
Expected result from last line of Sample data: denied

Sample data:

Sep 22 08:23:58 xxx.xxx.xxx.xxx %ASA-6-302014: Teardown TCP connection 586562065 for outside:xxx.xxx.xxx.xxx/xxxxx to inside:xxx.xxx.xxx.xxx/xxxxx duration 0:00:53 bytes 3974 TCP FINs
Sep 22 08:23:57 xxx.xxx.xxx.xxx %ASA-6-302013: Built outbound TCP connection 586562792 for outside:xxx.xxx.xxx.xxx/xxxxx (xxx.xxx.xxx.xxx/xxxxx ) to inside:xxx.xxx.xxx.xxx/xxxxx (xxx.xxx.xxx.xxx/xxxxx )
Sep 22 09:13:51 xxx.xxx.xxx.xxx %ASA-6-302015: Built inbound UDP connection 586601069 for outside:xxx.xxx.xxx.xxx/xxxxx (xxx.xxx.xxx.xxx/xxxxx ) to inside-research:xxx.xxx.xxx.xxx/xxxxx (xxx.xxx.xxx.xxx/xxxxx )
Sep 22 09:15:26 xxx.xxx.xxx.xxx %ASA-4-106023: Deny tcp src biz-research:xxx.xxx.xxx.xxx/xxxxx dst outside:xxx.xxx.xxx.xxx/xxxxx by access-group "biz_-research_in" [0x0, 0x0]
Sep 22 09:23:36 xxx.xxx.xxx.xxx %ASA-3-710003: TCP access denied by ACL from xxx.xxx.xxx.xxx/xxxxx to outside:xxx.xxx.xxx.xxx/xxxxx

0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

Try something like this

 %ASA | rex "(?<Protocol>(TCP|UDP|ICMP|tcp|upd|icmp))"  | stats count by Protocol

%ASA | rex "(?<Action>(Built|Teardown|Deny|denied))"  | stats count by Action

View solution in original post

somesoni2
SplunkTrust
SplunkTrust

Try something like this

 %ASA | rex "(?<Protocol>(TCP|UDP|ICMP|tcp|upd|icmp))"  | stats count by Protocol

%ASA | rex "(?<Action>(Built|Teardown|Deny|denied))"  | stats count by Action

RNB
Path Finder

Perfect! This works great and is one more thing I have learned to do with rex.

0 Karma

james_n
Path Finder

@somesoni2 , could you please help to extract the value as shown below, thanks in advance.

\"business\":{\"code\":[\"1221\"] this is exist in every event. So, I want to be store that value in type_value field. required output type_value=1221.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...