Solved: Regex Help

ipops · ‎09-20-2017

I am trying to do a field extract but running into problems

Here is an example event. I am trying to build a regex to extract the signatures field (IP Fragmentation, DNS Amplification). The signature can be different for each event so I need to extract everything between the () after the word signatures. Can someone help me with a regex? My attempts are only returning partial events

Sep 19 23:32:49 10.201.1.79 [pfsp] emerg: Host Detection alert #13630, start 2017-09-19 23:31:45 UTC, duration 64, direction incoming, host 1.2.3.4, signatures (IP Fragmentation, DNS Amplification), impact 1.10 Gbps/117.80 Kpps, importance 2, managed_objects ("ARIN-Allocated Prefixes"), (parent managed object "nil")

Sep 20 04:56:50 10.201.1.79 [pfsp] emerg: Host Detection alert #13631, start 2017-09-20 04:56:45 UTC, duration 5, direction incoming, host 1.2.3.4, signatures (IP Fragmentation), impact 133.45 Mbps/21.82 Kpps, importance 1, managed_objects ("ARIN-Allocated Prefixes"), (parent managed object "nil")

koshyk · ‎09-20-2017

is this you looking for?

signatures\s\((?<signature_value>[^\)]+)\)

Example: https://regex101.com/r/3sEpdC/1

So your search would be something like

... | rex  "signatures\s\((?<signature_value>[^\)]+)\)"

View solution in original post

ipops · ‎09-20-2017

That worked!

Thanks so much!

koshyk · ‎09-20-2017

is this you looking for?

signatures\s\((?<signature_value>[^\)]+)\)

Example: https://regex101.com/r/3sEpdC/1

So your search would be something like

... | rex  "signatures\s\((?<signature_value>[^\)]+)\)"

Regex Help

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!