topic Re: How to build field in Other Usage

How to build fields?

mauriziotarducc — Tue, 07 Mar 2023 15:26:50 GMT

Hello

Having log like :

<182>Mar 1 18:18:24 SND1 Policy Manager severity=Info saf=1 safd=RACF record=Mar 1 13:17:31 SND1 baspm[67174579]: Compliance Failure='Sensitive Dataset=USS.SND2.VAR resides on z/OS shared DASD volume=SN2U01 but is not part of SPM dataset filter=SHRD' [DS33795]

i would extract the fields :

SND1 as LPAR field

[DS33795] ad DISANUM field

'Sensitive Dataset=USS.SND2.VAR resides on z/OS shared DASD volume=SN2U01 but is not part of SPM dataset filter=SHRD' as DESCRIPTION field

Can you help me writing the regex ?

i started to write the following

"Compliance Failure" sourcetype="AMI SPM" | rex field=_raw "^(?:[^:\n]*:){2}\d+(?P<LPAR>\s+\w+)(?:[^\[\n]*\[){2}(?P<DISANUM>\w+)" offset_field=_extracted_fields_bounds | stats count by DISANUM

but i m not able to get the string after Compliance Failure into the field DDESCRIPTION

Thanks in advance

Maurizio

Re: How to build fuild

bowesmana — Mon, 06 Mar 2023 23:39:50 GMT

Try this

| rex field=_raw "^.*?(\d+:){2}\d+(?P<LPAR>\s+\w+).*Compliance Failure='(?<DESCRIPTION>[^']*)'\s+\[(?P<DISANUM>\w+)" offset_field=extracted_fields_bounds

Re: How to build field

mauriziotarducc — Thu, 23 Mar 2023 13:47:07 GMT

Thanks

i have another request :

i have the a text like (JSON Format) :

{"Time": "2023-03-23T13:23:50.551", "HostName": "SND1", "Cat": "Policy Manager", "Severity": "Info", "SAF": 1, "SAFD": "RACF", "Record": "Mar 23 09:23:49 SND1 baspm[33620189]: Compliance Failure='PASSWORD(INTERVAL) for UserId=ZSX110 should be 60 days. It is currently set to 120' [DS223718]"}

i would like to have DESCRIPTION fileld based on "Complaince Failure" and DISANUM based on the content of [ and ] character at the end of the string (in the above example the DISANUM is [DS223718] .

Thanks in advance

Maurizio

Re: How to build field

bowesmana — Fri, 24 Mar 2023 01:34:46 GMT

In general, if it's a new question requiring a new answer, please ask it in a new question rather than using an already answered question, so others can help out

If your JSON is already auto extracted then do only the rex statement, otherwise use spath to extract the JSON from the raw event

| spath | rex field=Record "[^\]]*\]: (?<DESCRIPTION>[^=]*).*\[(?<DISANUM>\w+)"

Re: How to build field

mauriziotarducc — Fri, 24 Mar 2023 15:50:37 GMT

Hello thanks

ok partially worked because

for the filed DESCRIPTION i just have Compliance Failure i shout have :

DESCRIPTION = 'Port=23 included in configuration for TN3270 is not as defined in the Ports, Protocols, and Services Management (PPSM) Category Assurance List (CAL) and vulnerability assessments'

can yu help me ?

Maurizio

Re: How to build field

mauriziotarducc — Fri, 24 Mar 2023 15:51:55 GMT

or better based on the last example :

DESCRIPTION = 'PASSWORD(INTERVAL) for UserId=ZSX110 should be 60 days. It is currently set to 120'

thanks

Maurizio

Re: How to build field

bowesmana — Sun, 26 Mar 2023 22:15:03 GMT

Sorry - correct rex here

| rex field=Record "[^\]]*\]:\s+Compliance Failure='(?<DESCRIPTION>[^']*).*\[(?<DISANUM>\w+)"

It assumes the description is surrounded by single quote characters

Re: How to build fields?

mauriziotarducc — Mon, 27 Mar 2023 07:43:04 GMT

Hello good morning

executing your new rex what i have is :

23/03/23 13:23:52,425

{ [-]
   Cat: Policy Manager
   HostName: SND1
   Record: Mar 23 09:23:52 SND1 baspm[33620189]: Compliance Failure='Port=23 included in configuration for TN3270 is not as defined in the Ports, Protocols, and Services Management (PPSM) Category Assurance List (CAL) and vulnerability assessments' [DS223821]
   SAF: 1
   SAFD: RACF
   Severity: Info
   Time: 2023-03-23T13:23:52.425
}

But not Description and DISANUM .

Maurizio

Re: How to build fields?

mauriziotarducc — Mon, 27 Mar 2023 08:51:08 GMT

Hello i did the following and now is ok

"Compliance Failure" | rex "Compliance Failure='(?<DESCRIPTION>[^']*)'\s*\[(?<DISANUM>[^\]]+)\]"

Regards

Maurizio

Re: How to build fields?

bowesmana — Mon, 27 Mar 2023 22:11:12 GMT

If you have done spath and have a field following the spath called Record, then the rex should work, but if you don't have a field called Record because that field is not extracted, then it won't. Your rex is looking at the entire _raw field.