I am trying to find a regex expression to help filter splunk results from ingested IIS logs such that when the CRYPT_PROTOCOL response is less than 400 it is displayed.
Asked
Active
Viewed 540 times
-1
-
Can you show a sample response to help you out? – Dhruvil21_04 Feb 07 '19 at 07:26
-
Essential I am trying to parse a line like shown below, and find a match for responses at the very end of the line that are less than the "- 400" that is shown 2019-01-21 05:59:17 10.229.17.21 GET /owa/healthcheck.htm &encoding=; 443 - 12.225.32.22 - www.somesite.com 200 0 0 293 80 1 - 400 – Patrick H. Feb 07 '19 at 13:39
-
Please update your question with the above sample to get better help from others too. Do you want '-' in -400 too? Is everytime 400 going to be at last? – Dhruvil21_04 Feb 07 '19 at 17:34
1 Answers
0
Actually we were able to figure it out. We broke up the log into fields in regex, then created tables in splunk from there- Like so.
index="msexchange" sourcetype=MSWindows:2016W3SVC1:IIS earliest="02/07/2019:09:00:00" latest="02/07/2019:09:30:00" | rex field=_raw "(?\d{4}-\d{2}-\d{2})\s(?\d{2}:\d{2}:\d{2})\s(?\S*)\s(?\w+)\s(?\S*)\s(?\S*[;-])\s(?\S*)\s(?\S*)\s(?\S*)\s(?\S*)\s(?[\w.]+)\s(?\S*)\s(?\S*)\s(?\S*)\s(?\S*)\s(?\S*)\s(?\S*)\s(?\S*)\s(?\S*)" | where cryptoprotocol<400 | table _time sip csmethod sport csusername cip csuseragent cshost csstatus cssubstatus cswin32status scbytes csbytes timetaken originalip cryptoprotocol | sort 0 -_time