topic Re: need way to find this string in Splunk Search

How do I find this string?

ajit4242 — Thu, 02 Mar 2023 15:19:37 GMT

my string is

"abcdxyz|11.2.0000|56|12120|32|1005|15|32|7742|5|54|336|446|203473<"

above string is string in huge log entry , I want to extract above string and then last 4 fields and from above string to map for graph.

I tried using (name="*abcdxyz|11.2.0000|[0-9]|[0-9]|[0-9]|[0-9]|[0-9]|[0-9]|[0-9]|[0-9]|[0-9]|[0-9]|[0-9]|[0-9]<*")

but getting a lot of noise there

Re: need way to find this string

ITWhisperer — Wed, 01 Mar 2023 18:25:35 GMT

| eval name=split(name,"|") | eval lastfour=mvindex(name,-4,-1)

Re: need way to find this string

ajit4242 — Wed, 01 Mar 2023 21:26:27 GMT

thank you for inputs but when trying to apply on whole log its fails

Retrieve |5|act=Retrieve password suser=abcd fname=Root\Operating Systems-admin dvc= shost=1.1.1.1 dhost=asdfek duser=sasassa externalId= app= reason= cs1Label="Affected User Name" cs1= cs2Label="Safe Name" cs2=asasas cs3Label="Device Type" cs3=Operating System cs4Label="Database" cs4= cs5Label="Other info" cs5= cn1Label="Request Id" cn1= cn2Label="Ticket Id" cn2=CPM msg=CPM<5>138:13Z PRO-ASA CEF:0|Cyber-Ark|baba|11.2.0000|22|sas Verify wd|5|act=abs Verify pas suser=SEFPEOJFEFL fname=Root\Operating System-SASASdfdfd= shost=1.1.1.1 dhost= duser=awsas externalId= app= reason= cs1Label="Affected User Name" cs1= cs2Label="Safe Name" cs2=test1 cs3Label="Device Type" cs3=Operating System cs4Label="Database" cs4= cs5Label="Other info" cs5= cn1Label="Request Id" cn1= cn2Label="Ticket Id" cn2=Ver msg=VerificationPeriodCEF:0|Cyber-Ark|abcdxyz|11.2.0000|64|14555|65|4774|13|32|8207|18|58|336|446|210812<5>1 2023-02-28T23:38:15Z PRO-asa CEF:0|Cyber-Ark|Vault|11.2.0000|51|Retrieve File|5|act=Retrieve File suser=abcd fname=Root\Policies\Policy-GenericWebApp.ini dvc= shost=1.1.1.1 dhost= duser= externalId= app= reason= cs1Label="Affected User Name" cs1= cs2Label="Safe Name" cs2=CMDsas cs3Label="Device Type" cs3= cs4Label="sasasas"

Re: need way to find this string

ITWhisperer — Wed, 01 Mar 2023 22:06:19 GMT

Has the field (msg?) already been extracted?

Re: need way to find this string

ajit4242 — Thu, 02 Mar 2023 10:35:20 GMT

no, its just the raw log

Re: need way to find this string

ITWhisperer — Thu, 02 Mar 2023 11:14:06 GMT

Given you earlier attempt, perhaps you could try something like this

| rex "abcdxyz\|11\.2\.0000\|[0-9]+\|[0-9]+\|[0-9]+\|[0-9]+\|[0-9]+\|[0-9]+\|[0-9]+\|[0-9]+\|(?<lastfour>[0-9]+\|[0-9]+\|[0-9]+\|[0-9]+\<)"

Re: need way to find this string

PickleRick — Thu, 02 Mar 2023 11:17:44 GMT

OK. I'm not sure if it's the case of you pasting the log into the webpage or is it the original data but it seems that it's not properly broken into separate events. That's one thing which must be properly done before you can reliably work with those logs.

Secondly, CyberArk produces CEF logs for which there are several Add-Ons (you might want to compile your own from them; I'm not sure if there is an official Splunk-supplied Add-on for CEF).

Thirdly, this CEF seems a bit misformatted.

Re: need way to find this string

ajit4242 — Thu, 02 Mar 2023 18:52:22 GMT

was able to get it working, first I just got it for all values and then filtered it, thank you for your help

VaultMonitor\|[0-9]+\.[0-9]+\.[0-9]+\|[0-9]+\|[0-9]+\|[0-9]+\|[0-9]+\|[0-9]+\|[0-9]+\|[0-9]+\|[0-9]+\|[0-9]+\|[0-9]+\|[0-9]+\|[0-9]+