Solved: how to rex field number of infected file for clama...

cyberportnoc · ‎07-10-2017

Jul 10 06:59:22 icopenstack01 clamav[9040]: Infected files: 0
source = /var/log/remote/icopenstack01.log sourcetype = icopenstack-too_small

how to rex field the number after Infected files:

"Infected files:" | rex field=_raw "Infected files: (?\d+.)" | convert timeformat="%Y-%m-%d" ctime(_time) AS date | table source, date, Infected | where date=strftime(now(), "%Y-%m-%d")

i use this query but Infected field is empty

cpetterborg · ‎07-10-2017

You need to name the field you extracted (?P<Infected>\d+):

"Infected files:" | rex field=_raw "Infected files: (?P<Infected>\d+)" | convert timeformat="%Y-%m-%d" ctime(_time) AS date | table source, date, Infected | where date=strftime(now(), "%Y-%m-%d")

View solution in original post

somesoni2 · ‎07-10-2017

I believe an additional dot at the end of your regex (after \d+) is causing your field extractions to fail. Use exact regex given by cpetterborg.

Also, when you post code/search, do remember to (after selecting the code/search) click on 101010 button or press Ctrl+K to format it, else, you'll lose special characters like capturing groups.

cpetterborg · ‎07-10-2017

You need to name the field you extracted (?P<Infected>\d+):

"Infected files:" | rex field=_raw "Infected files: (?P<Infected>\d+)" | convert timeformat="%Y-%m-%d" ctime(_time) AS date | table source, date, Infected | where date=strftime(now(), "%Y-%m-%d")

cyberportnoc · ‎07-11-2017

"Infected files:" | rex field=_raw "Infected files: (?\d*)" | convert timeformat="%Y-%m-%d" ctime(_time) AS date | table source, date, Infected | where date=strftime(now(), "%Y-%m-%d")

after tried many times, discover d* can solve this

how to rex field number of infected file for clamav scan report?

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM