topic Re: Field extraction needed in Splunk Enterprise

What is the best approach to this field extraction?

mbasharat — Sun, 15 May 2022 20:11:27 GMT

Hi,

I have a field name Details. This field contains a lot of information in varying format. e.g. software installed on endpoints, updates installed etc. I need to extract this information from this field. Sample is below. What is the best approach? I need both from configuring field extraction for this in configs or in actual Splunk search using rex or eval.

Fields to be extracted:

Path
Version/Installed Version: Both need to be extracted in a way that *Version* is used to cover variations.
Method/Detection Method: Both need to be extracted in a way that *Method* is used to cover variations.

Variation 1:

<plugin_output>
Path : /opt/AdoptOpenJRE/jdk8u332-b09-jre/
Version : 1.8.0_332
Binary Location : /opt/AdoptOpenJRE/jdk8u332-b09-jre/bin/java
Details : This Java install appears to be Java Runtime Environment, since
"jre" was found in the installation path and javac was not found
(medium confidence).
This Java install may be Oracle Java or OpenJDK Java due to
"org.openjdk.java.util" in the binary (low confidence).
Detection Method : "find" utility
</plugin_output>

Variation 2:

<plugin_output>
Path : /HP/hpoa/CADE2/HP/nonOV/openadaptor/1_6_5/classes/oa_jdk14_classes.jar
Version : 1.1.0
JMSAppender.class association : Found
JdbcAppender.class association : Found
JndiLookup.class association : Not Found
Method : MANIFEST.MF dependency
</plugin_output>

Variation 3:

<plugin_output>
Path : /opt/IBM/WebSphere855/AppServer/java_1.7_64/
Installed version : 7.0
Fixed version : 7.0.11.5

Path : /opt/IBM/WebSphere855/AppServer.old/java_1.7_64/
Installed version : 7.0
Fixed version : 7.0.11.5

Path : /opt/IBM/WebSphere855/AppServer.gagan/java_1.7_64/
Installed version : 7.0
Fixed version : 7.0.11.5

Path : /opt/IBM/InstallationManager/eclipse/jre_7.0.100001.20170309_1301/
Installed version : 7.0
Fixed version : 7.0.11.5
</plugin_output>

Thanks in-advance!!

Re: Field extraction needed

richgalloway — Sat, 14 May 2022 16:33:27 GMT

What have you tried so far? What results did you get from those efforts?

Is Variation3 a single event or separate events? If the former, what should be extracted and is the number of sections fixed?

Re: Field extraction needed

mbasharat — Sat, 14 May 2022 17:07:51 GMT

Hi @richgalloway,

When I had ingested original dataset, I had used key value pairs to extract a lot of information per requirements and that has been working flawlessly until new requirements came to extract this information.

The rex for field transformation I have been using for this dataset that works as needed is:
(\r|\n)*(?<_KEY_1>[^:]+):(?<_VAL_1>[^\r\n]+)

Automatically clean field names option is enabled.

Thanks!

Re: Field extraction needed

VatsalJagani — Sun, 15 May 2022 11:49:47 GMT

@mbasharat - Try this regex:

[\r\n]+(?<_KEY_1>[^\n:]+):(?<_VAL_1>[^\r\n]+)

I hope this helps!!!!

Re: Field extraction needed

mbasharat — Tue, 17 May 2022 15:24:04 GMT

@VatsalJagani

How have you tested your provided regex in splunk search? I see a slight tweak in yours vs mine. Mine is out there in production so I need to be definitive so please provide test search you have used. Also, can it be search time extraction and if yes then how?

Thanks in advance!!!

Re: Field extraction needed

VatsalJagani — Tue, 17 May 2022 15:30:29 GMT

@mbasharat - I've tested in regex101.

Please check here to see if you are getting what you need - https://regex101.com/r/DoWz5Q/1

Of course, I'm not gonna test in a live environment because my environment will not have this data.

Generally, the preferred practice is that you test all configuration changes in a staging environment.

I hope this helps!!!!