https://community.splunk.com/t5/Splunk-Search/Parsing-kaspersky-syslog-events/m-p/553724#M157218 <P>Thank you very much, that worked perfectly fine.</P><P>I was able to reach the same result also using SEDCMD.</P><P>Thank you again!</P> Mon, 31 May 2021 15:14:46 GMT martaBenedetti 2021-05-31T15:14:46Z https://community.splunk.com/t5/Splunk-Search/Parsing-kaspersky-syslog-events/m-p/553695#M157213 <P>Hi community,</P><P>I need help in parsing events containing not pure json.</P><P>This is the raw event:</P><P>&nbsp;</P><LI-CODE lang="markup">May 28 15:00:15 sd960evo ESS|2.1.0.0 {"User":"SD960EVO\\WinCash","ObjectName":"C:\\PROGRAM FILES\\NCR\\UAHELPER\\XFSTOOL.EXE","Sha256":"6E3B72786B24A85BA657D8298783402DA5237A864ADE989B7B013DEFE65BEDCF","CmdLine":"\"C:\\Program Files\\NCR\\UAHelper\\XFSTool.exe\" \"C:\\Program Files\\NCR APTRA\\Unified Agent\\WS\\bin\\FileUpload\" PIN30\u0000","ParentName":"C:\\Program Files\\NCR\\UAHelper\\UAHelperService.exe\u0000","ProductName":"","FileVersion":"0.0.0.0","EnforcedPolicy":"Deny","DefaultPolicy":"Deny","MatchedRules":"","Issuer":"","Thumbprint":"","Valid":"No","DefaultDeny":"Yes","ActionMask":"-2147483390"}\r\n</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>This is my props.conf&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">[kaspersky:syslog] TIME_PREFIX = ^ TIME_FORMAT = %b %d %T EXTRACT-device = \w+\s+\d+\s+\d+\:\d+\:\d+\s+(?&lt;device&gt;[^\s]*)\s+.* EXTRACT-app = \w+\s+\d+\s+\d+\:\d+\:\d+\s+\S+\s(?&lt;app&gt;[^\s]*)\s+.* REPORT-json = report-json,report-json-kv</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>This is my transforms.conf file</P><P>&nbsp;</P><LI-CODE lang="markup">[report-json] # This will get the json payload from the logs. REGEX = (?P&lt;json1&gt;{.+}) # Manually extract JSON key-value [report-json-kv] REGEX = \"(\w+)\":[\s]*\"([^\,\}\"]+) FORMAT = $1::$2 MV_ADD = true</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>I've tried regex to extract device, app, json1 at search time with rex command and it's working fine.</P><P>Do you have any ideas?</P><P>Do you have better solution to parse this log?</P><P>&nbsp;</P><P>Thank you very much</P> Mon, 31 May 2021 08:08:04 GMT https://community.splunk.com/t5/Splunk-Search/Parsing-kaspersky-syslog-events/m-p/553695#M157213 martaBenedetti 2021-05-31T08:08:04Z https://community.splunk.com/t5/Splunk-Search/Parsing-kaspersky-syslog-events/m-p/553713#M157216 <P>Try extracting device and app in the same regex.</P><LI-CODE lang="markup">EXTRACT-deviceApp = \w+\s+\d+\s+\d+\:\d+\:\d+\s+(?&lt;device&gt;\S+)\s(?&lt;app&gt;[^\s]*)\s</LI-CODE><P>I don't see the need for the report-json transform.</P><P>This transform should handle the key-value parsing.</P><LI-CODE lang="markup">[report-json-kv] REGEX = "(\w+)":\s*"((?:[^"\\]|\\.)*)" FORMAT = $1::$2 MV_ADD = true</LI-CODE> Mon, 31 May 2021 13:55:07 GMT https://community.splunk.com/t5/Splunk-Search/Parsing-kaspersky-syslog-events/m-p/553713#M157216 richgalloway 2021-05-31T13:55:07Z https://community.splunk.com/t5/Splunk-Search/Parsing-kaspersky-syslog-events/m-p/553724#M157218 <P>Thank you very much, that worked perfectly fine.</P><P>I was able to reach the same result also using SEDCMD.</P><P>Thank you again!</P> Mon, 31 May 2021 15:14:46 GMT https://community.splunk.com/t5/Splunk-Search/Parsing-kaspersky-syslog-events/m-p/553724#M157218 martaBenedetti 2021-05-31T15:14:46Z