Splunk Search

rex syntax for extracting value from a set of match criteria

RNB
Path Finder

I am wanting to create a rex that will have a list of text that is to be matched, but the matched value is what needs to be extracted. It may end up as an EXTRACT in props.conf, but that is not my immediate concern. I am looking for the rex syntax that might look like this, but produce the results identified in the Expected result line below the sample rex. Sample data is below the rex.

%ASA | rex "tcp|udp|icmp" | stats count by Protocol
Expected result from line 1 of Sample data: Protocol=TCP

%ASA | rex "Built|Teardown|Deny|denied" | stats count by Action
Expected result from line 1 of Sample data: Teardown
Expected result from last line of Sample data: denied

Sample data:

Sep 22 08:23:58 xxx.xxx.xxx.xxx %ASA-6-302014: Teardown TCP connection 586562065 for outside:xxx.xxx.xxx.xxx/xxxxx to inside:xxx.xxx.xxx.xxx/xxxxx duration 0:00:53 bytes 3974 TCP FINs
Sep 22 08:23:57 xxx.xxx.xxx.xxx %ASA-6-302013: Built outbound TCP connection 586562792 for outside:xxx.xxx.xxx.xxx/xxxxx (xxx.xxx.xxx.xxx/xxxxx ) to inside:xxx.xxx.xxx.xxx/xxxxx (xxx.xxx.xxx.xxx/xxxxx )
Sep 22 09:13:51 xxx.xxx.xxx.xxx %ASA-6-302015: Built inbound UDP connection 586601069 for outside:xxx.xxx.xxx.xxx/xxxxx (xxx.xxx.xxx.xxx/xxxxx ) to inside-research:xxx.xxx.xxx.xxx/xxxxx (xxx.xxx.xxx.xxx/xxxxx )
Sep 22 09:15:26 xxx.xxx.xxx.xxx %ASA-4-106023: Deny tcp src biz-research:xxx.xxx.xxx.xxx/xxxxx dst outside:xxx.xxx.xxx.xxx/xxxxx by access-group "biz_-research_in" [0x0, 0x0]
Sep 22 09:23:36 xxx.xxx.xxx.xxx %ASA-3-710003: TCP access denied by ACL from xxx.xxx.xxx.xxx/xxxxx to outside:xxx.xxx.xxx.xxx/xxxxx

0 Karma
1 Solution

somesoni2
Revered Legend

Try something like this

 %ASA | rex "(?<Protocol>(TCP|UDP|ICMP|tcp|upd|icmp))"  | stats count by Protocol

%ASA | rex "(?<Action>(Built|Teardown|Deny|denied))"  | stats count by Action

View solution in original post

somesoni2
Revered Legend

Try something like this

 %ASA | rex "(?<Protocol>(TCP|UDP|ICMP|tcp|upd|icmp))"  | stats count by Protocol

%ASA | rex "(?<Action>(Built|Teardown|Deny|denied))"  | stats count by Action

RNB
Path Finder

Perfect! This works great and is one more thing I have learned to do with rex.

0 Karma

james_n
Path Finder

@somesoni2 , could you please help to extract the value as shown below, thanks in advance.

\"business\":{\"code\":[\"1221\"] this is exist in every event. So, I want to be store that value in type_value field. required output type_value=1221.

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...

Edge Processor Scaling, Energy & Manufacturing Use Cases, and More New Articles on ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Get More Out of Your Security Practice With a SIEM

Get More Out of Your Security Practice With a SIEMWednesday, July 31, 2024  |  11AM PT / 2PM ETREGISTER ...