Hi,
Thanks so much for taking the time to answer. I been playing around a little with the regex you created. It's almost complete, but I cannot get it to work. The source and destination IP and port where wrong. It seemed the raw data looked a little different then the indexed data.
The indexed data:
25-02-2017 04:24 PM,Info,2001:41f0:xx:20::1,pfsensefw.ax.local,5,16777216,,1000000103,lagg1_vlan151,match,block,in,4,0x10,,16,0,0,none,17,udp,201,192.x.150.3,255.255.255.255,7303,7303,181
I already created this regex which is almost complete:
rex "^(?\S+)\s(?[^,]+),(?[^,]+),(?[^,]+),(?[^,]+),([^,]*,){6}(?[^,]+),([^,]*,){9}(?[^,]+),(?[^,]+),(?[^,]+),(?[^,]+),(?[^,]+),"
The issue is the dst_port is wrong. In my example the dst_port is the 7303 . I'm not sure which one 🙂 How can I get my regex working with dst_port 7303?
And after this is complete how to actually work with this regex? Al already included it with a base search, selected verbose and chose the fields to be displayed. This works great. But is this something I need to do every time? or can I save this search and then call it as a shortcut in my search field?
So my seach looks like : host="myhost" | regex
Can I turn it into : shortcut | src_ip="IP" action="block" to really search smart?
Kind regards and thanks very much for the help.
Mark
... View more