Aug 15 2023 03:51 AM
Hello can someone please help me with extract regex expression?
I have syslog message that have this structure
1692086254.870677475 XXXXXX flows src=XXXX dst=XXXXX protocol=tcp sport=58296 dport=445 pattern: allow all
or
1692086279.965148294 XXXXflows src=XXXXX dst=XXXXX mac=00:XXXXX:XX protocol=udp sport=56182 dport=53 pattern: allow (dst 192.168.10.0/24) && (src 172.26.0.0/15)
or
1692087314.799126634 XXXXflows src=XXX dst=XXX protocol=tcp sport=443 dport=65472 pattern: deny all
i would need to extract the pattern value allow or deny only. I was thinking somethink like
Syslog
|extend pattern = extract(@'pattern: \"[A-Za-z]+ \"', 1, SyslogMessage),
but not works as expected. Can you please help me. Basically it will always be prefixed with pattern: and then allow or deny and space
Aug 15 2023 06:30 AM - edited Aug 15 2023 06:31 AM
Hello
try
Syslog
| where has("pattern") and (tostring(dynamic(["allow", "deny"]) in tostring(pattern)))
| project Timestamp, src, dst, protocol, sport, dport, pattern
Please click Mark as Best Response & Like if my post helped you to solve your issue. This will help others to find the correct solution easily.
Aug 16 2023 07:28 AM - edited Aug 18 2023 02:03 AM
unfortunately it does not work for me:
Query could not be parsed at 'has' on line [2,8] Token: has Line: 2 Position: 8 Request id: 2e66e81d-d5e5-412c-9130-6d27512cd854
Aug 18 2023 02:02 AM
SolutionAug 18 2023 02:02 AM
Solution