topic Re: Field extraction in Splunk Search

How to extract this field?

balu1211 — Tue, 06 Dec 2022 17:10:54 GMT

extract the field

sample data : "tag":AKAMAI/WAF/

Thanks..

Re: Field extraction

gcusello — Sat, 03 Dec 2022 17:08:19 GMT

Hi @balu1211,

please try this:

| rex "(?ms)\"tag\":\s*(?<tag>[^\n]+)"

that you an test at https://regex101.com/r/3p4M9q/1

Ciao.

Giuseppe

Re: Field extraction

balu1211 — Mon, 05 Dec 2022 10:52:41 GMT

...

Re: Field extraction

gcusello — Sun, 04 Dec 2022 06:30:05 GMT

Hi @balu1211,

I thought that the one you shared was your event!

could you share (in text format not screenshot) the event for field extraction?

Ciao.

Giuseppe

Re: Field extraction

balu1211 — Mon, 05 Dec 2022 10:48:08 GMT

.............

Re: Field extraction

ITWhisperer — Sun, 04 Dec 2022 11:07:50 GMT

Try something like this

| spath attackData.rules{}.tag output=tag | mvexpand tag | rex field=tag "(?<name>.*)/.*?" | eval name=coalesce(name,tag) | eval {name}=tag

Re: Field extraction

balu1211 — Sun, 04 Dec 2022 11:41:31 GMT

Hi My usecase is field extraction not the search pls help in extracting the fields from the events i mentioned above.

Thanks

@ITWhisperer

Re: Field extraction

gcusello — Sun, 04 Dec 2022 14:07:02 GMT

Hi @balu1211 ,

this is a regex to extract the tag vales:

| rex "\"tag\":\"(?<tag>[^\"]*)"

that you can test at https://regex101.com/r/mGxdvh/1

Anyway, as hinted by @ITWhisperer, I hint to explore the spath command (https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Spath) to extract all the fields from your json file.

Ciao.

Giuseppe

Re: Field extraction

ITWhisperer — Sun, 04 Dec 2022 14:13:08 GMT

What have you already tried?

Re: Field extraction

balu1211 — Mon, 05 Dec 2022 10:53:08 GMT

....

Re: Field extraction

gcusello — Sun, 04 Dec 2022 17:15:07 GMT

Hi @balu1211,

the regex I shared correctly extract the tag field also with this source, what's the problem?

Ciao.

Giuseppe

Re: Field extraction

yuanliu — Sun, 04 Dec 2022 20:10:11 GMT

@balu1211I am glad you finally started to explain what you are trying to do in the other thread Re: Help with the field extraction and regex. So, based on this, you have a conformant JSON, therefore you must already have a field named tag that is extracted already. Applying the same technique from the other thread,

| rex field=tag mode=sed "s/AKAMAI\/(\w+)\/(.+)/AKAMAI_\1=\"\2\"/" | rex field=tag mode=sed "s/ASE\/(\w+)\/(.+)/ASE\/\1=\"\2\"/" | rex field=tag mode=sed "s/(IPBLOCK\/.+)/ip_Attack=\"\1\"/" | rex field=tag mode=sed "s/(CUSTOM_AKA\/.+)/Custom_Rules=\"\1\"/" ``` convert structured paths to key-value pairs ``` | rename _raw as temp, tag as _raw ``` extract works on _raw only ``` | kv ``` extract key-value pairs ``` | rename temp as _raw

This is the same formula I posted there, except it was never clear that you had a field named "tag" and that the data was somehow related to your initial question.

Re: Field extraction

balu1211 — Tue, 06 Dec 2022 14:53:03 GMT

@yuanliu @ITWhisperer @gcusello

Hi,

Could you help me out to extract these field to make it as a global.

"tag":"IPBLOCK"
"tag":"IPBLOCK/ADAPTIVE/BURST"
"tag":"IPBLOCK/ADAPTIVE/SUMMARY"

I want to extract these marked in red color in one new field name as ip_block.

thanks.

Re: Field extraction

ITWhisperer — Tue, 06 Dec 2022 14:59:01 GMT

What have you tried so far?

Re: Field extraction

gcusello — Tue, 06 Dec 2022 15:19:28 GMT

Hi @balu1211,

please try this:

| rex "\"tag\":\"(\w*\/\w*\/)*(?<tag>[^\"]+)"

but it's always better to create a new question for a new issue.

Ciao.

Giuseppe

Re: Field extraction

balu1211 — Tue, 06 Dec 2022 16:19:42 GMT

Hi @gcusello @yuanliu @ITWhisperer

my usecase is like the values under ipblock/adaptive should extract under new filed name including ipblock value as well in that new field name.

"tag":"IPBLOCK"
"tag":"IPBLOCK/ADAPTIVE/BURST"
"tag":"IPBLOCK/ADAPTIVE/SUMMARY"

Output: under new field name eg. ip_attack

IPBLOCK

BURST

SUMMARY

thanks.

Re: Field extraction

gcusello — Tue, 06 Dec 2022 16:58:08 GMT

Hi @balu1211,please try this:

| rex "\"tag\":\"(\w*\/\w*\/)*(?<ip_attack>\w+)\""

that you can test at https://regex101.com/r/dEkQF3/1

Ciao.

Giuseppe

Re: Field extraction

balu1211 — Thu, 08 Dec 2022 17:23:23 GMT

...

Re: Field extraction

yuanliu — Wed, 07 Dec 2022 05:26:35 GMT

You can use mvindex to extract the last part of a path.

| eval tag = mvindex(split(tag, "/"), -1)

As @gcusello, you should start a new post when you change substance.