Activity Feed
- Posted Re: How to extract the protocol, Device_IP, transaction sequence number and the message type with regex on Splunk Search. 11-15-2019 06:51 AM
- Posted Re: How to extract the protocol, Device_IP, transaction sequence number and the message type with regex on Splunk Search. 11-12-2019 09:48 AM
- Posted Re: How to extract the protocol, Device_IP, transaction sequence number and the message type with regex on Splunk Search. 11-12-2019 09:09 AM
- Posted How to extract the protocol, Device_IP, transaction sequence number and the message type with regex on Splunk Search. 11-12-2019 08:23 AM
- Tagged How to extract the protocol, Device_IP, transaction sequence number and the message type with regex on Splunk Search. 11-12-2019 08:23 AM
- Tagged How to extract the protocol, Device_IP, transaction sequence number and the message type with regex on Splunk Search. 11-12-2019 08:23 AM
- Tagged How to extract the protocol, Device_IP, transaction sequence number and the message type with regex on Splunk Search. 11-12-2019 08:23 AM
- Tagged How to extract the protocol, Device_IP, transaction sequence number and the message type with regex on Splunk Search. 11-12-2019 08:23 AM
- Tagged How to extract the protocol, Device_IP, transaction sequence number and the message type with regex on Splunk Search. 11-12-2019 08:23 AM
- Posted Re: How can one represent different values for a single extracted field? on Splunk Search. 11-12-2019 06:41 AM
- Posted How can one represent different values for a single extracted field? on Splunk Search. 10-20-2019 09:32 AM
- Tagged How can one represent different values for a single extracted field? on Splunk Search. 10-20-2019 09:32 AM
- Tagged How can one represent different values for a single extracted field? on Splunk Search. 10-20-2019 09:32 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 |
11-15-2019
06:51 AM
Sorry, I had to put this on hold for a few days. I was unable to get the transforms.conf method to work at first so I took a step back and revisited the props.conf route. I suspected that trying to EXTRACT off of the EVAL to trim the file path off my source was the culprit and I think i'm correct. I wrote the following regex into props.conf to extract values from the source field.
[mysourcetype]
category = Custom
description = Saved_Copies
pulldown_type = 1
EXTRACT-file = (?<File_Path>[^_]+)_(?<Source_IP>[^_]+)_(?<Seq_ID>\d+\-\d+)-\d+-(?<Message_Type>\w+\.\w+) in source
where an example source value is:
C:\Program Files (x86)\Folder1\Folder2\SavedCopies\TCP_10.101.100.111_1478-1573570987-8723-DeviceToNCE.xml
It seems to be working but I need to develop the regex further as I'm losing the Protocol at the moment.
... View more
11-12-2019
09:48 AM
Okay, so by that passage, my line in Props.conf should be:
EVAL-File_Name = ltrim(source,"C:\\Program Files (x86)\\Folder1\Folder2\\SavedCopies\\")
EXTRACT-File_Name = (?<Proto>[^_]+)_(?<Device_IP>[^_]+)_(?<Seq_ID>\d+\-\d+)-\d+-(?<Message_Type>\w+\.\w+)
Included my Eval for the File_Name here in case that may be causing issues. It doesn't appear to be working. Does this EXTRACT perhaps not belong in props.conf? I see some talk of a transforms.conf but I don't have that file in my Splunk\etc\apps\search\local dir by default.
... View more
11-12-2019
09:09 AM
Perfect! Thank you! So three things:
1. I don't know the syntax for rex, it seems.
2. Is it better to use a define a character class with a negative match case than trying to extract digits or words?
3. Would you know the syntax if I were to bake this regex into my props.conf file for my local data inputs?
... View more
11-12-2019
08:23 AM
I have a field called File_Name that I've generate by trimming the filepath off of my source from a local data input.
The files are either XML or txt files but the names all follow the same format.
They contain the protocol, Device IP, A three-part transaction sequence number and a message type.
Example:
TCP_10.101.100.111_1478-1573570987-8723-DeviceToNCE.xml
I want to extract the protocol, Device_IP, the first two parts of the transaction sequence number (for event correlation) and the message type.
Here's what I've written so far, forgive me if it's inelegant, I'm still learning!
| rex File_Name="(?<Proto>\w+)_(?<Device_IP>\d+\.\d+\.\d+\.\d+)_(?<Seq_ID>\d+\-\d+)-\d+-(?<Message_Type>\w+\.\w+)"
... View more
11-12-2019
06:41 AM
Sorry I'm late getting back to you! This did send me in the right direction! I ended up using Eval with a case to classify the aliases that I was seeing:
| eval AliasType = case(
match(Alias, "AC*") AND len(Alias) >= 10,"Class1",
len(Alias) == 6 AND isnum(Alias), "Class2",
match(Alias, "NE*"), "Class3",
len(Alias) == 12 AND isnum(Alias), "Class4,
!isnum(Alias) OR len(Alias) != 12 OR len(Alias) != 6, "Class5"
)
... View more
10-20-2019
09:32 AM
This issue comes from the error logs of a login service. When a user scans their badge and attempts to log in with an invalid alias the resulting service exception will contain the following example text: "Unable to lookup personnel with barcode: 554067 and orgId: 1217864."
I've created a report to extract these events, it's a simple search containing "| rex field=_raw "barcode: (?< Alias>.) and orgId: (?< OrgID>.).""
This will generate the fields "Alias" and "OrgID." Valid aliases should be a 6 digit number. However, due to users scanning the wrong barcode, we see values of Alias like AC000000000000, NE000000 or sometimes a 6 letter alpha string. Is there any way for me to represent the count/percentage of invalid values of Alias? Ideally I'd want to create a graphical representation of this with a Pie Chart.
... View more
