×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
dipasqum
Observer
Member since: ‎09-20-2017
‎12-15-2020
Community Statistics
Posts 2
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎09-20-2017
Activity Feed
View All

Re: Field extraction using regex -- Do I need to u...

by SplunkTrust in Splunk Search
‎12-13-2017 11:54 AM
‎12-13-2017 11:54 AM
Since you are talking Cisco ASA events, this seems to work quite well on the events that we collect: rex "(?P<protocol>\w+)\s+connection" In our data only 60 events out of 36,000,000 didn't match a protocol. The protocol wasn't always something caught correctly, however. Here is the breakdown of the value of protocol of the 36M events: TCP - 69% no - 11% ICMP - 10% UDP - 10% matching - .05% Everything else made up less than 200 events of the 36M. So if you eliminate no and matching from your results, you should get a pretty good result set: rex "(?P<protocol>\w+)\s+connection" | search protocol=* regex protocol!="(no|matching|closing|Dropped|deleting|allocate)" There's plenty of opportunity to make changes to this, but it is at least a start. ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎12-15-2020 04:31 PM