How to parse log with a lot of indicators?

anissabnk — Wed, 25 Jan 2023 21:24:05 GMT

Hello everyone,

I have a question for you, and I need your help please 🙂

I have some logs, but the parsing isn't done.

In a same log, I have a lot of indicators and I need to extract the fields :

-cpu_model

- device_type:
-distinguished_name:
- entity:
- last_boot_duration:

- last_ip_address:
- last_logon_duration:

- last_logon_time:

- last_system_boot:
- mac_addresses: [

00:42:38:CA:81:72
00:42:38:CA:81:7300:42:38:CA:81:76
         02:42:38:CA:81:72
         74:78:27:91:41:BB
         B0:9F:80:55:40:44
       ]
- name: PCW-TOU-76566
-number_of_days_since_last_boot:
- number_of_days_since_last_logon:
-  number_of_monitors: 3
- os_version_and_architecture: Windows 10 Pro 21H2 (64 bits)
- platform: windows
- score:Device performance/Boot speed: null
-system_drive_capacity: 506333229056
-  system_drive_usage: 0.19
- total_nonsystem_drive_capacity: 0
-total_nonsystem_drive_usage: null
-total_ram: 8589934592

The log is like this :

What can I do to have the fields extracted to develop my indicators ?

The regex method is not possible in this case, can I use rex command ? and how I can do for this example ?

I need your help, thank you so much

Re: Parsing log with a lot of indicators

ITWhisperer — Wed, 25 Jan 2023 18:36:58 GMT

This looks like JSON. Use the spath command

| spath

topic Re: Parsing log with a lot of indicators in Splunk Search

How to parse log with a lot of indicators?

Re: Parsing log with a lot of indicators