topic Regex Help in Splunk Dev

Regex Help

sjangampeta — Tue, 29 Sep 2020 12:59:43 GMT

Need help in removing double quotes from extracted field value.

EVAL-user = nullif(replace(user, "[^:]+:\s*(.*|\w+\,\s\w+\s{\w+})", "\1"),"")

Sample Log:
2017-02-12 14:02:05,Virus found,Source: Scheduled Scan,Risk name: OSX.Trojan.Gen,Occurrences: 1,/Users/71071190/Downloads/archive_manager.dmg,'',Actual action: Deleted,Requested action: Deleted,Secondary action: Deleted,Event time: 2017-02-08 22:38:17,Inserted: 2017-02-12 20:02:05,End: 2017-02-08 22:38:17,Last update time: 2017-02-12 20:02:05,Domain: North America,Group: My Company\North America\Workstations\Macs,User: "ABCD, XYZ {FGH}",Source computer: ,Source IP: ,Disposition: Good,Download site: null,Web domain: null,Downloaded by: null,Prevalence: Reputation was not used in this detection.,Confidence: Reputation was not used in this detection.,URL Tracking Status: Off,,First Seen: Reputation was not used in this detection.,Sensitivity: Low,MDS,Application hash: ,Hash type: SHA1,Company name: ,Application name: ,Application version: ,Application type: -1,File size (bytes): 0,Category set: Security risk,Category type: UNKNOWN
2017-02-12 14:02:05,Virus found,Source: Scheduled Scan,Risk name: OSX.Trojan.Gen,Occurrences: 1,/Users/71071190/Downloads/archive_manager.dmg,'',Actual action: Deleted,Requested action: Deleted,Secondary action: Deleted,Event time: 2017-02-08 22:38:17,Inserted: 2017-02-12 20:02:05,End: 2017-02-08 22:38:17,Last update time: 2017-02-12 20:02:05,Domain: North America,Group: My Company\North America\Workstations\Macs,User: 12345678,Source computer: ,Source IP: ,Disposition: Good,Download site: null,Web domain: null,Downloaded by: null,Prevalence: Reputation was not used in this detection.,Confidence: Reputation was not used in this detection.,URL Tracking Status: Off,,First Seen: Reputation was not used in this detection.,Sensitivity: Low,MDS,Application hash: ,Hash type: SHA1,Company name: ,Application name: ,Application version: ,Application type: -1,File size (bytes): 0,Category set: Security risk,Category type: UNKNOWN

Extracted values: -
user = 12345678
user= "ABCD, XYZ {FGH}"

Re: Regex Help

adayton20 — Mon, 20 Feb 2017 18:46:48 GMT

Try this:

| rex field=user mode=sed "s/\"/ /g"

Re: Regex Help

sjangampeta — Tue, 29 Sep 2020 12:59:46 GMT

Thank you rex works.
But we don't want to add during search time.

Can I update anything in below calculated field?
EVAL-user = nullif(replace(user, "[^:]+:\s*(.*|\w+\,\s\w+\s{\w+})", "\1"),"")

Re: Regex Help

woodcock — Mon, 20 Feb 2017 19:54:56 GMT

Like this:

EVAL-user=replace(user, "\"", "")

Re: Regex Help

sjangampeta — Tue, 29 Sep 2020 12:59:48 GMT

since we already have existing eval-user, where can i add this "\"", "" regex ?

EVAL-user = nullif(replace(user, "[^:]+:\s*(.*|\w+\,\s\w+\s{\w+})", "\1"),"")

Re: Regex Help

woodcock — Mon, 20 Feb 2017 20:14:41 GMT

You can do 2 passes; put mine after the original.

Re: Regex Help

sjangampeta — Tue, 29 Sep 2020 12:59:51 GMT

Tried this, but it fails .new user value "ABCD, XYZ {FGH}"s/"/ /g

nullif(replace(user, "[^:]+:\s*(.*|\w+\,\s\w+\s{\w+})\"?", "s/\"/ /g\1"),"")

Re: Regex Help

somesoni2 — Mon, 20 Feb 2017 20:46:13 GMT

Why not just do a search time field extraction like this.

props.conf on search head

[yoursourcetype]
EXTRACT-userfield = ,User:\s+\"*(?<user>.+)\"*,Source computer

See regex101 page for validation of regex
https://regex101.com/r/6e4pdb/1

Re: Regex Help

sjangampeta — Tue, 29 Sep 2020 13:00:07 GMT

may i know what I'm missing ?
nullif(replace(user, "[^:]+:\s*(.*|\w+\,\s\w+\s{\w+})\"?", "s/\"/ /g\1"),"")

Re: Regex Help

sjangampeta — Tue, 21 Feb 2017 15:51:42 GMT

our requirement was to update above eval function, so it can extract all user fields. they don't want to add search time field extraction