-2

I'm trying to find a regex that will grab the string between the 4th and 4th colon.

Example event:

cpe:2.3:a:libexpat_project:libexpat:*:*:*:*:*:*:*:*

Expected outcome:

libexpat

Solution:

I used GROK to parse this out.

%{WORD}[:]%{BASE10NUM}[:]%{WORD}[:]%{WORD}[:]%{WORD:[software][name]}

Thank you!

Ryszard Czech
  • 18,032
  • 4
  • 24
  • 37
JeremyP
  • 17
  • 4
  • 1
    use `^(?:[^:]+:){4}\K[^:]+`. Depending on whether your engine support the reset. – Onyambu Jul 08 '22 at 20:28
  • Which language are you using? – Onyambu Jul 08 '22 at 20:31
  • @onyambu Thank you. The regex you provided works perfectly using simple online regex testers. However, when I attempted to implement this in a grok filter in Logstash I ran into some problems with the round brackets which is causing the filter to misbehave and match on too much. This is my syntax: `grok { match => { "[software][cpe]" => "(?<[software][name]>^(?:[^:]+:){4}\K[^:]+)" }` From what I understand, the grok filter requires these brackets but I'm currently troubleshooting a workaround. If you have some insights on how to get around this, that would be great. – JeremyP Jul 14 '22 at 13:16
  • what is the purpose of having `(?<[software][name]>...`?? YOU Cannot have the BEGINNING of the word be in the middle of the sentence if that even makes sence. ie the caret `^` shows the BEGINNING of the sentence yet you have it in the middle of the regex. That does not make any sence. You must always have `^` be at the beginning of the regex unless you have the flags or it is a literal caret. the part `software[name]` does not make sense. I do not know `grok` but your problem is how to use the regex I gave. – Onyambu Jul 14 '22 at 18:58

1 Answers1

0

Switched to grok

%{WORD}[:]%{BASE10NUM}[:]%{WORD}[:]%{WORD}[:]%{WORD:[software][name]}
JeremyP
  • 17
  • 4