Академический Документы
Профессиональный Документы
Культура Документы
What
is
RegEx
Finite
Automata
mathemaUcian Stephen Cole Kleene Implemented by ed and grep creator Ken Thompson in 1973 Pa[ern matching language for text processing Has slightly dierent implementaUons (PERL, POSIX) Way crypUc at rst sight
Thinking Regex
Thinking
Regex
Log
Events
are
a
great
place
to
start,
they
have
structure Dont
overthink
it.
The
pa[ern
is
there
waiUng
to
discovered
Dont be lazy and use wildcards too much Learn to love NOT regexes. \S+ \D+ \W+ [^,]+
Regexes
in
Splunk
Search Language: rex, erex, regex Indexing: Filtering data (in|out), line breaking, timestamp extraction Field Extraction
IFX
Splunk
has
a
built
in
"interacUve
eld
extractor" It
can
be
useful.
Give
it
samples
of
data,
and
it
will
a[empt
to
learn
a
regex
and
persist
a
single
eld It
has
a
limitaUon
of
the
amount
of
events
to
display
in
its
viewer. You
might
not
see
your
search
results
when
using
it?
Huh?
10
what if we could use that "intelligent" stu IFX was doing but in the search language
11
meet
"erex"
Allows
you
to
give
it
examples,
but
it
works
on
your
search
results Allows
you
to
give
it
counterexamples
of
stu
you
don't
want
to
match
on Builds
you
a
proper
rex
command
12
13
14
16
Search Ume eld extracUons via your own regexes -- in the search language Name your elds Reuse everyone elses work!
17
18
19
20
21
Splunk
is
so
smart
except
when
its
not
<policy
id="3">Finjan
HTTPS
policy</policy>
<cp
id="5"
name="AcUve
Content"
display_name="AcUve
Content"/>
<group
id="5002"
cp_id="5"
type="0">Full
prole
-
Binary
Behavior</group>
<item
id="28015">Format
error
in
CRL
lastUpdate
eld</item>
<item
id="3265747">*.served.com/*</item>
<rule_comment
id="2"
name="Block
cerUcate
validaUon
errors"><! [CDATA[Block
HTTPS
content
without
a
valid
cerUcate]]></rule_comment>
We can educate Splunk on dynamically pulling the KEY and VALUE with...
24
REGEX
for
the
VALUE
is
\( A
quote
(followed
by
anything
that
is
not
a
quote--greedy
match)
followed
by
a
quote
followed
by
a
greater
than
sign
Splunk Worldwide Users Conference
Thursday, August 18, 11
25
Text
$1 $2
Text
$1 $2
<rule_comment
id="690"
name="Log
everythin Image
les"><![CDATA[Logs
all
content
passin the
system
except
for
......
27 Copyright Splunk 2011
Your
job
is
to
create
a
mulU-valued
eld
as
the
service
eld
exists
mulUple
Umes
in
each
event
Splunk Worldwide Users Conference
Thursday, August 18, 11
28
Your
brain
will
tell
you
to
look
for
anything
a~er
the
rst
comma
a~er
that
le~
bracket
and
before
the
second
comma
Splunk Worldwide Users Conference
Thursday, August 18, 11
29
30
31
Le~ bracket followed by some stu, followed by a comma.. but its not consistent. SomeUmes a ( le~ paren is in there.
32
\[[\(\-a-zA-Z0-9]+,([a-zA-Z]+),
Le~ bracket, followed by anything in this character list (greedy). Followed by a comma, and then create a capturing group of text that matches upper or lower case roman alphabet-- greedy (as many Umes as possible). End capturing group, then followed by a comma.
33
\[[\(\-a-zA-Z0-9]+,([a-zA-Z]+),[^\[]+\[[\(\- a-zA-Z0-9]+,([a-zA-Z]+),
Le~
bracket,
followed
by
anything
in
this
character
list
(greedy).
Followed
by
a
comma,
and
then
create
a
capturing
group
of
text
that
matches
upper
or
lower
case
roman
alphabet--greedy
(as
many
Umes
as
possible).
End
capturing
group,
then
followed
by
a
comma.
Followed
by
anything
that
is
NOT
a
Le~
Bracket,
followed
by.....
Splunk Worldwide Users Conference
34
Sad
Trombone
This
one
has
four
services
2011/07/21
19:27:27.596
[(ninja4-fe29,genie,/handle,131292312,2011/07/21
19:27:27.310)[ninja4- be716,lmt,PbContentService.write<tetherAccountData;default>][ninja4- be05,tether,TetherAccountService.bindAccount][ninja4- be393,auth,Auth2Service.upgradeSubject]]
[]
[Auth2Service]
upgradeSubject(V1.21.49,"INT",[LIM:131292312:s: 1311276361:b8f677d957eb3f7b9622247b72374c791720bc17,true], {internalAppName=twitter-sync},"tether",null)=[Principal[2],[INT: 131292312/twitter-sync: 1311276447:df9dd0175bd2e6107c2dfae36dfd9a9dc11f0631,false,20y]]
in
15ms
35
Remember
rex?
He
devours
data
But you can make rex very hungry and control how much lunch he eats. By default, he only gets one helping of meat
36
37
38
L
08/02/2011
-
11:46:05:
"The
Administrator<61><BOT><Red>"
killed
"MoreGun<56><BOT><Blue>"
with
"flamethrower"
(attacker_position
"-2677
2177
-127")
(victim_position
"-2555
2323
-127")
Splunk Worldwide Users Conference
Thursday, August 18, 11
39
L
08/02/2011
-
11:46:05:
"The
Administrator<61><BOT><Red>"
killed
"MoreGun<56><BOT><Blue>"
with
"flamethrower"
(attacker_position
"-2677
2177
-127")
(victim_position
"-2555
2323
-127")
Splunk Worldwide Users Conference
Thursday, August 18, 11
40
Whos
who?
How
do
we
know
who
did
what
to
whom?
L
08/02/2011
-
11:46:05:
"The
Administrator<61><BOT><Red>"
killed
"MoreGun<56><BOT><Blue>"
with
"flamethrower"
(attacker_position
"-2677
2177
-127")
(victim_position
"-2555
2323
-127")
Splunk Worldwide Users Conference
Thursday, August 18, 11
41
actor
actor_id
actor_team
actor_type
L
08/02/2011
-
11:46:05:
"The
Administrator<61><BOT><Red>"
killed
"MoreGun<56><BOT><Blue>"
with
"flamethrower"
(attacker_position
"-2677
2177
-127")
(victim_position
"-2555
2323
-127")
actee actee_id actee_type
42
actee_team
Copyright Splunk 2011
L
08/02/2011
-
11:46:05:
"The
Administrator<61><BOT><Red>"
killed
"MoreGun<56><BOT><Blue>"
with
"flamethrower"
(attacker_position
"-2677
2177
-127")
(victim_position
"-2555
2323
-127")
Splunk Worldwide Users Conference
Thursday, August 18, 11
43
44
45
46
47
|
eval
actor_name
=
mvindex(actor_name_z,0)|
eval
actee_name
=
mvindex(actor_name_z,1)
actor_name
=
The
Administrator actee_name
=
MoreGun
Splunk Worldwide Users Conference
Thursday, August 18, 11
48
Resources
regexlib.com regular-expressions.info gskinner.com/RegExr Reggy
/
RegExhibit RegexBuddy
(JGSo~.com)