pkt-nspktr/transforms-re.py

## transforms-re.py
#!/opt/splunk/bin/python2

import re

def transform(line):
        txf = re.search(r'\w{3}\s+\d{1,2}\s\d{2}:\d{2}:\d{2}\s(?:[\w.]+\s)?\(?([\w-]+)\)?', line, re.M|re.I)

        if txf:
                return( txf.group(1) )
        else:
                return( None )


syslogs = {
        '<134>Jul  1 07:22:23 filterlog: 104,,,1000004861,em1,match,pass,out,4,0x0,,64,34538,0,none,1,icmp,85,192.168.XXX.XXX,2XX.3XX.2XX.1XXX,request,22129,102965': 'filterlog',
        '<182>Jul  1 07:22:25 (squid-1): 1593606145.218      0 192.168.XXX.XXX NONE/200 0 CONNECT XXX.XXX.XXX.XXX:443 - HIER_NONE/- - 07:22:23.351305': 'squid-1',
        '<191>Jul  1 07:37:45 dhcpd: reuse_lease: lease age 12304 (secs) under 25% threshold, reply with unaltered, existing lease for 192.168.XXX.XXX': 'dhcpd',
        '<190>Jul  1 07:37:45 dhcpd: DHCPREQUEST for 192.168.XXX.XXX from XX:XX:XX:XX:XX:XX (*****) via em0': 'dhcpd',
        '<190>Jul  1 07:37:45 dhcpd: DHCPACK on 192.168.XXX.XXX to XX:XX:XX:XX:XX:XX (*****) via em0': 'dhcpd',
        '<174>Jul  1 07:37:30 nginx: 192.168.XXX.XXX - - [01/Jul/2020:07:37:30 -0500] "POST /sgerror.php?url=403%20&a=192.168.XXX.XXX&n=amazon-AAAAA.home.localnet&i=&s=SUBNET&t=blk_BL_tracker&u=http://udm.scorecardresearch.com/offline?c2=3005420&s=3b73ea12455e0c73b24441d42eed4d6f HTTP/1.1" 403 551 "-" "Dalvik/2.1.0 (Linux; U; Android 5.1.1; KFAUWI Build/LVY48F)"': 'nginx',
        '<14>Jul  1 07:52:00 dhcpleases: Sending HUP signal to dns daemon(74211)': 'dhcpleases',

}

for l,e in syslogs.items():
        t = transform(l)
        if(t==e):
                print( t )
        else:
                err = "expected {}, got {}"
                print(err.format(e, t))
	#!/opt/splunk/bin/python2

	import re

	def transform(line):
	txf = re.search(r'\w{3}\s+\d{1,2}\s\d{2}:\d{2}:\d{2}\s(?:[\w.]+\s)?\(?([\w-]+)\)?', line, re.M\|re.I)

	if txf:
	return( txf.group(1) )
	else:
	return( None )


	syslogs = {
	'<134>Jul 1 07:22:23 filterlog: 104,,,1000004861,em1,match,pass,out,4,0x0,,64,34538,0,none,1,icmp,85,192.168.XXX.XXX,2XX.3XX.2XX.1XXX,request,22129,102965': 'filterlog',
	'<182>Jul 1 07:22:25 (squid-1): 1593606145.218 0 192.168.XXX.XXX NONE/200 0 CONNECT XXX.XXX.XXX.XXX:443 - HIER_NONE/- - 07:22:23.351305': 'squid-1',
	'<191>Jul 1 07:37:45 dhcpd: reuse_lease: lease age 12304 (secs) under 25% threshold, reply with unaltered, existing lease for 192.168.XXX.XXX': 'dhcpd',
	'<190>Jul 1 07:37:45 dhcpd: DHCPREQUEST for 192.168.XXX.XXX from XX:XX:XX:XX:XX:XX (*****) via em0': 'dhcpd',
	'<190>Jul 1 07:37:45 dhcpd: DHCPACK on 192.168.XXX.XXX to XX:XX:XX:XX:XX:XX (*****) via em0': 'dhcpd',
	'<174>Jul 1 07:37:30 nginx: 192.168.XXX.XXX - - [01/Jul/2020:07:37:30 -0500] "POST /sgerror.php?url=403%20&a=192.168.XXX.XXX&n=amazon-AAAAA.home.localnet&i=&s=SUBNET&t=blk_BL_tracker&u=http://udm.scorecardresearch.com/offline?c2=3005420&s=3b73ea12455e0c73b24441d42eed4d6f HTTP/1.1" 403 551 "-" "Dalvik/2.1.0 (Linux; U; Android 5.1.1; KFAUWI Build/LVY48F)"': 'nginx',
	'<14>Jul 1 07:52:00 dhcpleases: Sending HUP signal to dns daemon(74211)': 'dhcpleases',

	}

	for l,e in syslogs.items():
	t = transform(l)
	if(t==e):
	print( t )
	else:
	err = "expected {}, got {}"
	print(err.format(e, t))