Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

I need a wildcard in reg

RNB
Path Finder
‎03-07-2013 10:45 AM

I have an event that I want to extract the inside/outside IP Addresses and Port numbers.

Mar 6 13:59:59 192.168.140.215 %ASA-4-106023: Deny udp src outside:xxx.xxx.xxx.xxx/xxxxx dst inside:xxx.xxx.xxx.xxx/xxxxx by access-group "outside_access_in" [0x0, 0x0]

In a response to a previous question, the recommended search works successfully.

| rex "outside:(?<outside_ip>[^/]+)/(?<outside_port>\S+)" | stats count by outside_ip outside_port

The issue I am having is to expand the rex to get both the inside and outside IP/ports. Another complicating factor is that inside: is actually inside_zone-app: where zone and app are variable. Obviously, my experience with regex is limited and I can't find a method to find inside*: and grab the data between the : and / assigning it to inside_ip. I have tried various ways unsuccessfully.

| rex "inside*:(?<inside_ip>[^/]+)/(?<inside_port>\S+)/outside:(?<outside_ip>[^/]+)/(?<outside_port>\S+)" | stats count by inside_ip inside_port outside_ip outside_port

Any help is appreciated.

Update:

I could not get this to work as just a single rex statement, but I was able to get it working with two rex's but without the wildcard. Of the wildcards that I tried that sort of worked returned the information after the second : in the message, not the information after inside*:.

| rex "inside_zoneB-AppA:(?<inside_ip>[^/]+)/(?<inside_port>\S+)" | rex "outside:(?<outside_ip>[^/]+)/(?<outside_port>\S+)" | stats count by inside_ip inside_port outside_ip outside_port

Update[2]:

I don't think my explanations were clear enough and a single sample from the results likely did not help. All recomendations so far are appreciated, but I am not having any luck in using them as-is or incorporating them. (I am waiting for my manager to come in to buy RegexBuddy and RegexMagic.) I have included three non-redacted samples that I am trying to count and display in columns. I have stats and sort down, the Perl and Linux regex wildcard samples I have found and tried are not working when I try wildcard between inside*: as in inside_emr-gnplc: and inside_emr-frontdesk:.

Mar 7 13:59:58 192.168.140.215 %ASA-4-106023: Deny udp src inside_lab-gcpc:10.15.13.17/65227 dst outside:10.14.2.15/161 by access-group "lab-gcpc_access_in" [0x0, 0x0]

Mar 7 13:59:36 192.168.140.215 %ASA-4-106023: Deny tcp src inside_lab-frontdesk:10.15.7.5/54094 dst outside:10.2.103.71/26334 by access-group "lab-frontdesk_access_in" [0x0, 0x0]

Mar 7 13:57:51 192.168.140.215 %ASA-4-106023: Deny udp src outside:dhcp.admin.georgianc.on.ca/67 dst inside-work:10.15.11.19/68 by access-group "outside_access_in" [0x0, 0x0]

Tags (3)
0 Karma
Reply

bmacias84
Champion
‎03-07-2013 02:45 PM

Hello,

Here is a regex that I've tested and it works with your sample data.



outside:(?<scr_ip>((\d{1,3}.)){3}\d{1,3})/(?<scr_port>\d+[^\s])(?:[\s\w]+):(?<dest_ip>((\d{1,3}.)){3}\d{1,3})/(?<dest_port>\d+[^\s])

wildcard:


outside:(?<scr_ip>[^/:]+)/(?<scr_port>\d+[^\s])(?:[\s\w]+):(?<dest_ip>[^/:]+)/(?<dest_port>\d+[^\s])

Also I would consider adding this to Field extractions for that source type. which would look like this.


outside:(?P<scr_ip>((\d{1,3}.)){3}\d{1,3})/(?P<scr_port>\d+[^\s])(?:[\s\w]+):(?P<dest_ip>((\d{1,3}.)){3}\d{1,3})/(?P<dest_port>\d+[^\s])

wildcard:


outside:(?P<scr_ip>[^/:]+)/(?P<scr_port>\d+[^\s])(?:[\s\w]+):(?P<dest_ip>[^/:]+)/(?P<dest_port>\d+[^\s])

You could alternatively added this to your transform.conf and associated with the source within your props.conf.

I also suggest purchasing Regex tool like RegexBuddy it very handy.
Hope this helps or gets you started. If it does dont foget to accept or vote it up.

Updated and verified regex for your examples listed:
wildcard:



src\s+(?:[\w_-]+):(?<scr_ip>[^/:]+)/(?<scr_port>[^\s]+)\s+dst\s+(?:[\w_-]+):(?<dest_ip>[^/:]+)/(?<dest_port>[^\s]+)

Regex break down:

  • src\s+ - set begin of regex and match scr and white space
  • (?:[\w_-]+): -None capture group to match everything before colon(:) and after previous regex
  • (?<scr_ip>[^/:]+) - capture group that capture any data after colon(:) and before slash(/). Basiclly wild card with expections -(?<scr_port>[^\s]+) - capture group that capture any data after slash(/) and with no white space.Basiclly wild card with expections
  • \s+dst\s+ - regex for white space and dst
  • (?:[\w_-]+) - None capture group for any data after dst and before colon (:)
  • (?<dest_ip>[^/:]+) - Capture group for any data not colon or slash. Basiclly wild card with expections
  • : - regex for slash (/)
  • (?<dest_port>[^\s]+) -Capture group for any data not whitespace.Basiclly wild card with expections

I can create a regex wild card capture as long as you specify upper and lower bounds of your string.

Reply

Gilberto_Castil
Splunk Employee
Splunk Employee
‎03-07-2013 12:44 PM

Try this snippet in your extraction:

outside:(?<src_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\/(?<src_port>\d{1,4})\s+dst\s+inside:(?<dest_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\/(?<dest_port>\d{1,4})

As a personal preference I tend to avoid lazy expressions and wildcards as I always struggle with matching unknown possibilities. The field names used in the example above use part of the Common Information Model used by many apps in Splunk. Of course, you can rename to your own liking.

Good luck,

--gc

0 Karma
Reply

Gilberto_Castil
Splunk Employee
Splunk Employee
‎03-07-2013 02:08 PM

Well... If you have time, please post some sanitized log lines so we can extropolate an appropriate procedure. Five or ten lines should do for both IP-based and FQDN variants.

0 Karma
Reply

RNB
Path Finder
‎03-07-2013 01:13 PM

I like the idea of explicitly identifying the data I am trying to collect, but I am not getting any results with the snippet yet. I'll try again tomorrow.

I think I might have an issue with the d{1,3} as some of the outside addresses are resolved leaving me with a mixture of IP's and FQDN's.

I am still hoping to find the right syntax to get a wildcard working so that I can do something like this inside*: to return for things like inside_emr-gnplc, inside_emr-frontdesk, etc.

0 Karma
Reply
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

REGISTER NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If ...

Observability | Use Synthetic Monitoring for Website Metadata Verification

If you are on Splunk Observability Cloud, you may already have Synthetic Monitoringin your observability ...

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...