- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: What is the problem with Regex field extractio...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi everyone,
I have data from Cisco ESA similar to this two examples:
> Feb 6 10:29:56 10.1.1.152 Feb 06 10:29:45 Splunk: Info: MID 6000770 SDR: Consolidated Sender Reputation: Poor, Threat Category: Spam, Suspected Domain(s) : mail1@host.com, mailhost3.com. Youngest Domain Age: 1 year 8 months 15 days for domain: email@domain.com
and
> Feb 6 10:29:56 10.1.1.152 Feb 06 10:29:45 Splunk: Info: MID 6000770 SDR: Consolidated Sender Reputation: Poor, Threat Category: Spam. Youngest Domain Age: 1 year 8 months 15 days for domain: email@domain.com
Sometimes the "Suspected Domain" part is not a part of the data.
I want to add a field extraction for the "Threat Category" value (in this case "Spam") .
Can anyone help me out with this? I tried the field extraction in Splunk, but Splunk can't handle both types (with a , or . after the Category "Spam")
Regards,
Maik
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@MOberschelp ,
UPDATED: to include special chars
"Threat Category:\s(?<Threat_Category>.+?)[,\.]"
Try
"Threat Category:\s(?<Threat_Category>\w+)"
OR
If you want to add . or ,
"Threat Category:\s(?<Threat_Category>\w+)[,\.]"
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@MOberschelp ,
UPDATED: to include special chars
"Threat Category:\s(?<Threat_Category>.+?)[,\.]"
Try
"Threat Category:\s(?<Threat_Category>\w+)"
OR
If you want to add . or ,
"Threat Category:\s(?<Threat_Category>\w+)[,\.]"
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the quick reply. This worked fine for my example.
But now I've seen that not all values are detected.
@this example the regex doesn't work:
Feb 6 10:29:56 10.1.1.152 Feb 06 10:29:45 Splunk: Info: MID 6000770 SDR: Consolidated Sender Reputation: Poor, Threat Category: N/A, Suspected Domain(s) : mail1@host.com, mailhost3.com. Youngest Domain Age: 1 year 8 months 15 days for domain: email@domain.com
I think here is the "/" @ "N/A" the problem.
Any hints for this?
Tried my best @ regex101.com but regular expressions are my weakness... 😉
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@MOberschelp ,
I was about to ask you about whether the category is always a string 🙂 . Try
Threat Category:\s(?<Threat_Category>.+?)[,\.]
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Or if you have only "/" in the list of special characters, then below also should work
"Threat Category:\s(?<Threat_Category>[\w\/]+)[,\.]"
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Great! That just works perfect!
Thank you very much!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
Detecting Remote Code Executions With the Splunk Threat Research Team
