Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

REX issue, quite an interesting one, potential bug?

mrgibbon
Contributor
‎11-17-2016 05:11 PM

Just wondering if anyone has ever seen this before?

This is the data I’m extracting from:

"Classic,Audit Failure",11/14/2016 9:32:27 AM,AD FS Auditing,516,-3,"The following user account has been locked out due to too many bad password attempts. Additional Data Activity ID: 00000000-0000-0000-0000-000000000000 User: sausages\Abel.Caine Client IP: 103.1.1.1,10.1.1.1 nBad Password Count: 4 nLast Bad Password Attempt: 11/14/2016"

I’m trying to extract the bad password count.
By all means, this should work:
| rex "Password Count: (?P[^ \n]+)"

But it appears that Splunk sees the string ‘Count’ as a command, not just a string.
I get the total ‘count’ of those fields it finds.

alt text

I’ve tried escaping it, using “\s{1}\w{6}” and a load of others things.

Seen this before?

Preview file
1 KB
0 Karma
Reply

woodcock
Esteemed Legend
‎03-24-2017 11:55 PM

This works fine:

... | rex "Password Count:\s*(?<Count>\d+)"
0 Karma
Reply

MuS
Legend
‎11-17-2016 05:59 PM

Hi mrgibbon 😉

works like a charm on Splunk 6.5.0:

| gentimes start=-1 
| eval gibbon="\"Classic,Audit Failure\",11/14/2016 9:32:27 AM,AD FS Auditing,516,-3,\"The following user account has been locked out due to too many bad password attempts. Additional Data Activity ID: 00000000-0000-0000-0000-000000000000 User: sausages\Abel.Caine Client IP: 103.1.1.1,10.1.1.1 nBad Password Count: 4 nLast Bad Password Attempt: 11/14/2016\"" 
| rex field=gibbon "Password Count: (?P<count>[^ \n]+)" 
| table count

Here is the result:
alt text

Can you please add the complete search you are running?

cheers, MuS

Preview file
1 KB
0 Karma
Reply

mrgibbon
Contributor
‎11-17-2016 06:30 PM

Hmm, Im using 6.5.0.
Might be something quirky in the way the event is ingested, its only ADFS logs though, fairly std.

index=adfs "Event ID"=403 OR "Event ID"=516 NOT "Audit Success" 
| rex "blah.internal\\\(?P[^ \n]+)" 
| rex "Activity ID: (?P[^\n \"]+)"
| rex "((\\d{1,3}\.\\d{1,3}\.\\d{1,3}\.\\d{1,3}).+?(?P\\d{1,3}\.\\d{1,3}\.\\d{1,3}\.\\d{1,3}))"
| rex "nBad Password\s{1}\w{5}\:\s(?P[^ \n]+)" 
| rex "nLast Bad Password Attempt: (?P[^\"]+)"

This is just one variation I have tried, of course I have tried the most basic one I listed first.

0 Karma
Reply

wrangler2x
Motivator
‎11-18-2016 01:32 PM

Why the \n? Seems to me you only need [^ ]+

0 Karma
Reply

mrgibbon
Contributor
‎11-20-2016 08:00 PM

I added it in as when I view the event that number is actually below the leading text, like this:
nBad Password Count:
4

So I added it in to cope with that, but if you copy out the event its directly following the colon and a space. I have tried without it, still the same result.
Thanks

0 Karma
Reply

mrgibbon
Contributor
‎11-20-2016 08:03 PM

Also, I want the value of the field, not the count of those fields.

0 Karma
Reply

MuS
Legend
‎11-20-2016 09:22 PM

Hi mrgibbon, you know how to reach me - Can you send some sample data and the search and I will have a look at it 😉 Cheers, MuS

0 Karma
Reply

MuS
Legend
‎11-17-2016 06:34 PM

Can you use the code function so the named capturing groups are still in the search, please? 🙂

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...