Getting Data In

Checking multiple Regex against once sourcetype

Drainy
Champion

I'm trying to define multiple REGEX for one sourcetype. Because the events can vary massively I need to have different regex to recognise the different events.

Here are the contents of my props and transforms confs;
transforms.conf

[tcpdump_basic]
REGEX = ([^ ]+)([ ])([^ ]+) ([>]) ([^,]+)([^ ]) ([^ ]+) ([^ ]+) ([^ ]+) ([^ ]+[^:]+) ([^ ]+) ([1-2]{0,1}[0-9]{1,2}\.[1-2]{0,1}[0-9]{1,2}\.[1-2]{0,1}[0-$
FORMAT = timestamp::$1 src_mac::$3 dest_mac::$5 net_layer::$8 source_host::$12 source_port::$14 destin_host::$16 destin_port::$18 protocol::$20

[tcpdump_vlan]
REGEX = ([^ ]+)([ ])([^ ]+) ([>]) ([^,]+)([^ ]) ([^ ]+) ([^ ]+) ([^ ]+) ([^ ]+)([^:]+)([^ ]+) ([^ ]+) ([^,]+)([^ ]+)([^,]+)([^ ]+)([^,]+)([^ ]+)([^,]+)$
FORMAT = timestamp::$1 src_mac::$3 dest_mac::$5 encapsulation::$8 packet_length::$11 vlan_id::$14 message::$28


props.conf

[packet-capture]

DATETIME_CONFIG = CURRENT
LINE_BREAKER = ([\r\n]+)(\d+)(:)(\d+)(:)(\d+)(\.)(\d+)

REPORT-tcpdump_basic = tcpdump_basic
REPORT-tcpdump_vlan = tcpdump_vlan

The tcpdump_basic format always takes effect against the relevant events but the vlan one never takes effect. According to RegExr it should recognise the event its based on (I used RegExr to build the first regex too).
Some example data;

The one that tcpdump_basic correctly identifies;

17:59:01.098070 00:21:85:6f:cc:cb > 01:00:5e:00:00:fc, ethertype IPv4 (0x0800), length 75: 192.168.254.6.61231 > 224.0.0.252.5355: UDP, length 33

The one that I want tcpdump_vlan to identify and the regex appears to work on RegExr but it isn't working with the setup shown above, or when just used alone;

18:14:56.431181 00:0f:90:e9:12:c2 > 01:80:c2:00:00:00, ethertype 802.1Q (0x8100), length 64: vlan 1, p 7, LLC, dsap STP (0x42), ssap STP (0x42), cmd 0x03: 802.1d config 8001.00:0f:90:e9:12:c0.8002 root 8001.00:05:dc:c0:9c:00 pathcost 19 age 1 max 20 hello 2 fdelay 15 
    0x0000:  0180 c200 0000 000f 90e9 12c2 8100 e001  ................
    0x0010:  0026 4242 0300 0000 0000 8001 0005 dcc0  .&BB............
    0x0020:  9c00 0000 0013 8001 000f 90e9 12c0 8002  ................
    0x0030:  0100       

Anyone have any ideas?

1 Solution

Drainy
Champion

Ok, I've fixed it.
Instead I am just capturing smaller and readily identifiable chunks of data.
My biggest reason for not doing that before was that I needed to identify source and destination, but obviously after thinking it out I can just include the > in the regex to correctly list these.

View solution in original post

Drainy
Champion

Ok, I've fixed it.
Instead I am just capturing smaller and readily identifiable chunks of data.
My biggest reason for not doing that before was that I needed to identify source and destination, but obviously after thinking it out I can just include the > in the regex to correctly list these.

Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...