Splunk Search
Highlighted

rex syntax for extracting value from a set of match criteria

Path Finder

I am wanting to create a rex that will have a list of text that is to be matched, but the matched value is what needs to be extracted. It may end up as an EXTRACT in props.conf, but that is not my immediate concern. I am looking for the rex syntax that might look like this, but produce the results identified in the Expected result line below the sample rex. Sample data is below the rex.

%ASA | rex "tcp|udp|icmp" | stats count by Protocol
Expected result from line 1 of Sample data: Protocol=TCP

%ASA | rex "Built|Teardown|Deny|denied" | stats count by Action
Expected result from line 1 of Sample data: Teardown
Expected result from last line of Sample data: denied

Sample data:

Sep 22 08:23:58 xxx.xxx.xxx.xxx %ASA-6-302014: Teardown TCP connection 586562065 for outside:xxx.xxx.xxx.xxx/xxxxx to inside:xxx.xxx.xxx.xxx/xxxxx duration 0:00:53 bytes 3974 TCP FINs
Sep 22 08:23:57 xxx.xxx.xxx.xxx %ASA-6-302013: Built outbound TCP connection 586562792 for outside:xxx.xxx.xxx.xxx/xxxxx (xxx.xxx.xxx.xxx/xxxxx ) to inside:xxx.xxx.xxx.xxx/xxxxx (xxx.xxx.xxx.xxx/xxxxx )
Sep 22 09:13:51 xxx.xxx.xxx.xxx %ASA-6-302015: Built inbound UDP connection 586601069 for outside:xxx.xxx.xxx.xxx/xxxxx (xxx.xxx.xxx.xxx/xxxxx ) to inside-research:xxx.xxx.xxx.xxx/xxxxx (xxx.xxx.xxx.xxx/xxxxx )
Sep 22 09:15:26 xxx.xxx.xxx.xxx %ASA-4-106023: Deny tcp src biz-research:xxx.xxx.xxx.xxx/xxxxx dst outside:xxx.xxx.xxx.xxx/xxxxx by access-group "biz-researchin" [0x0, 0x0]
Sep 22 09:23:36 xxx.xxx.xxx.xxx %ASA-3-710003: TCP access denied by ACL from xxx.xxx.xxx.xxx/xxxxx to outside:xxx.xxx.xxx.xxx/xxxxx

0 Karma
Highlighted

Re: rex syntax for extracting value from a set of match criteria

SplunkTrust
SplunkTrust

Try something like this

 %ASA | rex "(?<Protocol>(TCP|UDP|ICMP|tcp|upd|icmp))"  | stats count by Protocol

%ASA | rex "(?<Action>(Built|Teardown|Deny|denied))"  | stats count by Action

View solution in original post

Highlighted

Re: rex syntax for extracting value from a set of match criteria

Path Finder

Perfect! This works great and is one more thing I have learned to do with rex.

0 Karma
Highlighted

Re: rex syntax for extracting value from a set of match criteria

Path Finder

@somesoni2 , could you please help to extract the value as shown below, thanks in advance.

\"business\":{\"code\":[\"1221\"] this is exist in every event. So, I want to be store that value in typevalue field. required output typevalue=1221.

0 Karma