Hi everyone,
I have data from Cisco ESA similar to this two examples:
> Feb 6 10:29:56 10.1.1.152 Feb 06 10:29:45 Splunk: Info: MID 6000770 SDR: Consolidated Sender Reputation: Poor, Threat Category: Spam, Suspected Domain(s) : mail1@host.com, mailhost3.com. Youngest Domain Age: 1 year 8 months 15 days for domain: email@domain.com
and
> Feb 6 10:29:56 10.1.1.152 Feb 06 10:29:45 Splunk: Info: MID 6000770 SDR: Consolidated Sender Reputation: Poor, Threat Category: Spam. Youngest Domain Age: 1 year 8 months 15 days for domain: email@domain.com
Sometimes the "Suspected Domain" part is not a part of the data.
I want to add a field extraction for the "Threat Category" value (in this case "Spam") .
Can anyone help me out with this? I tried the field extraction in Splunk, but Splunk can't handle both types (with a , or . after the Category "Spam")
Regards,
Maik
@MOberschelp ,
UPDATED: to include special chars
"Threat Category:\s(?<Threat_Category>.+?)[,\.]"
Try
"Threat Category:\s(?<Threat_Category>\w+)"
OR
If you want to add . or ,
"Threat Category:\s(?<Threat_Category>\w+)[,\.]"
@MOberschelp ,
UPDATED: to include special chars
"Threat Category:\s(?<Threat_Category>.+?)[,\.]"
Try
"Threat Category:\s(?<Threat_Category>\w+)"
OR
If you want to add . or ,
"Threat Category:\s(?<Threat_Category>\w+)[,\.]"
Thanks for the quick reply. This worked fine for my example.
But now I've seen that not all values are detected.
@this example the regex doesn't work:
Feb 6 10:29:56 10.1.1.152 Feb 06 10:29:45 Splunk: Info: MID 6000770 SDR: Consolidated Sender Reputation: Poor, Threat Category: N/A, Suspected Domain(s) : mail1@host.com, mailhost3.com. Youngest Domain Age: 1 year 8 months 15 days for domain: email@domain.com
I think here is the "/" @ "N/A" the problem.
Any hints for this?
Tried my best @ regex101.com but regular expressions are my weakness... 😉
@MOberschelp ,
I was about to ask you about whether the category is always a string 🙂 . Try
Threat Category:\s(?<Threat_Category>.+?)[,\.]
Or if you have only "/" in the list of special characters, then below also should work
"Threat Category:\s(?<Threat_Category>[\w\/]+)[,\.]"
Great! That just works perfect!
Thank you very much!