https://community.splunk.com/t5/Splunk-Search/How-to-extract-fields-from-openSCAP-using-regex/m-p/373711#M109897 <P>Hey all, </P> <P>I'm trying to extract fields from openSCAP logs and I'm having difficulties pulling the CCE/DISA fields, which don't occur in all of the entries. For some reason, they keep getting grouped under the "Rule" field (e.g. Rule's value is "partition_for_tmp Ident CCE-26435-8 Ident DISA FSO RHEL-06-000001"). I've tried several regexes, and none of them have successfully gotten me the fields I want despite working on an online regex tester for PCRE. If I could get some feedback on why I can't get Splunk to extract the fields, I'd appreciate it.<BR /> transforms.conf:</P> <PRE><CODE>[fields_for_scap] REGEX = Title\n\t(.\*)\nRule\n\t(.\*)\n(?:Ident\n\t(.\*)\n(?:Ident\n\t(.\*)\n)?)?Result\n\t(.\*) FORMAT = Title::$1 Rule::$2 CCE::$3 DISA::$4 Result::$5 </CODE></PRE> <P>Previously attempted regexes:</P> <PRE><CODE>REGEX = Title\n\t(.\*)\nRule\n\t(.\*)\n(?:Ident\n\t(.\*)\n)?(?:Ident\n\t(.\*)\n)?Result\n\t(.\*) REGEX = Title\n\t(.\*)\nRule\n\t(.\*)(?:\nIdent\n\t)?(.\*|)(?:\nIdent\n\t)?(.\*|)\nResult\n\t(.\*) </CODE></PRE> <P>props.conf:</P> <PRE><CODE>[scap] SHOULD_LINEMERGE=false LINE_BREAKER = (\n\n) TRUNCATE=1000000 DATETIME_CONFIG = CURRENT REPORT-fields_for_scap = fields_for_scap </CODE></PRE> <P>Example events:</P> <PRE><CODE>Title Ensure Solid State Drives Do Not Contribute To Random-Number Entropy Pool Rule kernel_disable_entropy_contribution_for_solid_state_drives Result pass Title Ensure /tmp Located On Separate Partition Rule partition_for_tmp Ident CCE-26435-8 Ident DISA FSO RHEL-06-000001 Result pass </CODE></PRE> <P>Edit:</P> <P>For anybody in the future reading this wondering how I resolved this, I followed the accepted answer and defined the regex a bit more precisely, e.g. using (\w+) for the Rule field instead of (.*) so that matching issues wouldn't occur. When I broke up the regex, I realized that Splunk was having issues matching the non-capturing group (?:Ident), so there may be a problem with that.</P> Tue, 29 Sep 2020 18:02:54 GMT zsanchez113 2020-09-29T18:02:54Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-fields-from-openSCAP-using-regex/m-p/373711#M109897 <P>Hey all, </P> <P>I'm trying to extract fields from openSCAP logs and I'm having difficulties pulling the CCE/DISA fields, which don't occur in all of the entries. For some reason, they keep getting grouped under the "Rule" field (e.g. Rule's value is "partition_for_tmp Ident CCE-26435-8 Ident DISA FSO RHEL-06-000001"). I've tried several regexes, and none of them have successfully gotten me the fields I want despite working on an online regex tester for PCRE. If I could get some feedback on why I can't get Splunk to extract the fields, I'd appreciate it.<BR /> transforms.conf:</P> <PRE><CODE>[fields_for_scap] REGEX = Title\n\t(.\*)\nRule\n\t(.\*)\n(?:Ident\n\t(.\*)\n(?:Ident\n\t(.\*)\n)?)?Result\n\t(.\*) FORMAT = Title::$1 Rule::$2 CCE::$3 DISA::$4 Result::$5 </CODE></PRE> <P>Previously attempted regexes:</P> <PRE><CODE>REGEX = Title\n\t(.\*)\nRule\n\t(.\*)\n(?:Ident\n\t(.\*)\n)?(?:Ident\n\t(.\*)\n)?Result\n\t(.\*) REGEX = Title\n\t(.\*)\nRule\n\t(.\*)(?:\nIdent\n\t)?(.\*|)(?:\nIdent\n\t)?(.\*|)\nResult\n\t(.\*) </CODE></PRE> <P>props.conf:</P> <PRE><CODE>[scap] SHOULD_LINEMERGE=false LINE_BREAKER = (\n\n) TRUNCATE=1000000 DATETIME_CONFIG = CURRENT REPORT-fields_for_scap = fields_for_scap </CODE></PRE> <P>Example events:</P> <PRE><CODE>Title Ensure Solid State Drives Do Not Contribute To Random-Number Entropy Pool Rule kernel_disable_entropy_contribution_for_solid_state_drives Result pass Title Ensure /tmp Located On Separate Partition Rule partition_for_tmp Ident CCE-26435-8 Ident DISA FSO RHEL-06-000001 Result pass </CODE></PRE> <P>Edit:</P> <P>For anybody in the future reading this wondering how I resolved this, I followed the accepted answer and defined the regex a bit more precisely, e.g. using (\w+) for the Rule field instead of (.*) so that matching issues wouldn't occur. When I broke up the regex, I realized that Splunk was having issues matching the non-capturing group (?:Ident), so there may be a problem with that.</P> Tue, 29 Sep 2020 18:02:54 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-fields-from-openSCAP-using-regex/m-p/373711#M109897 zsanchez113 2020-09-29T18:02:54Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-fields-from-openSCAP-using-regex/m-p/373712#M109898 <P>Maybe just use multiple separate REPORT statements, one for each field, such that you can keep the regexes much simpler and don't have to worry about some fields not always being present.</P> Mon, 12 Feb 2018 17:39:08 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-fields-from-openSCAP-using-regex/m-p/373712#M109898 FrankVl 2018-02-12T17:39:08Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-fields-from-openSCAP-using-regex/m-p/373713#M109899 <P>Try:</P> <PRE><CODE>REGEX = Title[\r\n]\s*([^\r\n]*)[\s\S]*?Rule[\r\n]*\s*([^\r\n]*)([\r\n]*\s*Ident[\r\n]*\s*([^\r\n]*)[\s\S]*?Ident[\r\n]*\s*([^\r\n]*))?[\s\S]*?Result[\r\n]*\s*([^\r\n]*) FORMAT = Title::$1 Rule::$2 CCE::$4 DISA::$5 Result::$6 </CODE></PRE> <P>It's fairly efficient.</P> Tue, 13 Feb 2018 00:59:11 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-fields-from-openSCAP-using-regex/m-p/373713#M109899 cpetterborg 2018-02-13T00:59:11Z