topic Re: How to extract fields (in props.conf) based on conditional regex? in Splunk Search

How to extract fields (in props.conf) based on conditional regex?

Jamie — Mon, 23 Jan 2023 11:17:07 GMT

Hello,

My events contain strings such as:

notification that user "mydomain\bob" has
notification that user "fred" has
notification that user "01\ralph2" has

I'm trying to write a conditional EXTRACT in props.conf, so that the a new field 'domain' is assgined the domain name (i.e. mydomain, 01) where specified, else is assigned NULL and new field 'user' is assigned the user name (i.e. bob, fred, ralph2).

This works well enough when there is a domain and a user, but oviously not when there isn't a domain:

EXTRACT-domain_user = notification\sthat\suser\s\"(?<domain>[\w\d]+)\\(?<user>[\w\d]+)\"\shas

I'd be grateful for some assistance.

Re: How to extract fields (in props.conf) based on conditional regex?

gcusello — Mon, 23 Jan 2023 12:31:44 GMT

Hi @Jamie,

you could extract the domain using a regex like the following

| rex "notification that user \"(?<domain>\w+)\\"

and then use fillnull to give the NULL value if there isn't the domain:

| rex "notification that user \"(?<domain>\w+)\\" | fillnull domain value="NULL"

You can also extract the domain field ad a field extraction and the NULL assign as an automatic field.

Ciao.

Giuseppe

Re: How to extract fields (in props.conf) based on conditional regex?

Jamie — Mon, 23 Jan 2023 16:28:48 GMT

Ciao Giuseppe,

Thank you for the suggestion.

Testing is tricky; configuration in props.conf vs the web GUI need to be implemented differently as my events have blackslashes and double quotes. So just using the web GUI for now, I have (note how I have had to specific 4 x backslash):

| makeresults 
| eval account="notification that user mydomain\bob has,notification that user fred has,notification that user 01\ralph has" 
| makemv account delim="," 
| mvexpand account
| rex field=account "notification that user (?<domain>[\w\d]+)\\\\"
| fillnull domain value="NULL"

I have removed the double quotes around each domain\user and user for now as that was making things even trickier (I'll resolve that later)

This gives me the domain as per the event or NULL, which is great. Any thoughts on how to get the user in both cases -- when there is a domain and when there isn't? My regex attempts suck in the domain as the user.

I need something like if domain != NULL regex_to_get_user

Re: How to extract fields (in props.conf) based on conditional regex?

Jamie — Mon, 23 Jan 2023 17:19:31 GMT

This seems to work:

| makeresults 
| eval account="notification that user \"mydomain\bob\" has,notification that user \"fred\" has,notification that user \"01\ralph\" has" 
| makemv account delim="," 
| mvexpand account
| rex field=account "notification that user \"(?<domain>[\w\d]+)(\\\\)"
| rex field=account "notification that user \"(\w+\\\\)?(?<user>[\w\d]+)"
| fillnull domain value="NULL"

I might need to tweak the character elements to cater for my domain\user variants...but for now...

Re: How to extract fields (in props.conf) based on conditional regex?

gcusello — Mon, 23 Jan 2023 18:47:40 GMT

Hi @Jamie,

good for you, see next time!

Please accept one answer for the other people of Community

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

Re: How to extract fields (in props.conf) based on conditional regex?

Jamie — Wed, 25 Jan 2023 15:29:01 GMT

I had quite a lot of trouble getting the regexes that worked in the GUI to work in props.conf, however, I finally found that this works:

EXTRACT-domain = notification that user \"(?<domain>[\w\d]+)(\\)
EXTRACT-user = notification that user \"([\w\d]+(\\))?(?<user>[\w\d]+)\"
EVAL-domain = if(isnull(domain), "localhost", domain)

I'd be grateful if someone could explain why:

- it was necessary for EXTRACT-domain in the GUI to use four backslashes.

- it was necessary for EXTRACT-domain in props.conf to only need two backslashes in a capture group.

Thank you.

Re: How to extract fields (in props.conf) based on conditional regex?

gcusello — Wed, 25 Jan 2023 15:48:43 GMT

Hi @Jamie,

as I said, good for you, see next time!

Please accept one answer for the other people of Community

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

Re: How to extract fields (in props.conf) based on conditional regex?

Jamie — Wed, 25 Jan 2023 16:04:52 GMT

FYI - The two extracts could be done as follows (courtesy of a colleague):

EXTRACT-user_domain = notification that user \"(?<domain>[\w\d.]+\\)?(?<user>[^\"]+)\"