Re: Add extractions

bshuler_splunk · ‎08-23-2016

I would like for you to add these extractions to your app. The function as your cefkv command does, but without the need for the command:

I believe you already have the extractions for EXTRACT-cef-0 and EXTRACT-cef-3, but I would like to see the others added.

KV_MODE = None
ANNOTATE_PUNCT = false

# This extracts the CEF header
EXTRACT-cef-0 = CEF:\s?(?<cef_cefVersion>\d+)\|(?<cef_vendor>[^|]*)\|(?<cef_product>[^|]*)\|(?<cef_version>[^|]*)\|(?<cef_signature>[^|]*)\|(?<cef_name>[^|]*)\|(?<cef_severity>[^|]*)
# This extracts all values where the Label is before the value. Example cs1Label=FirstName cs1=John
EXTRACT-cef-1 = (?:([\d\w]+)Label=(?<_KEY_1>\S+))(?=.*\1=(?<_VAL_1>[^=]+)(?=$|\s+[\w\d]+=))
# This extracts all values where the Label is after the value. cs1=John Example cs1Label=FirstName
EXTRACT-cef-2 = (?:([\w\d]+)=(?<_VAL_1>[^=]+)(?=$|\s+[\w\d]+=)(?=.*\1Label=(?<_KEY_1>\S+)))
# This extracts all key=value of this field
EXTRACT-cef-3 = (?<_KEY_1>[^\s\|]+)=(?<_VAL_1>[^=]+)(?=\s+\w+=|$)
# This extracts key:value from the msg field
EXTRACT-cef-4 = (?<_KEY_1>\S+):(?<_VAL_1>\S+) IN msg

bshuler_splunk · ‎08-23-2016

I added my changes here: https://github.com/bshuler/TA-cefutils

I'd love to fold these into your app if it meets with your approval.

Add extractions

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Quantify Your Splunk Investment Impact: Introducing Savings Metrics to Value Insights

Event Series: Telemetry Pipeline Management

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Join the Conversation