All Apps and Add-ons

Field Extractions Not Working in props.conf - Split Field by slashes

astackpole
Path Finder

I have a field I am trying to split into new fields and it's not taking. The strings look similar to this- "AV:N/AC:P/PR:X" and I'm trying to extract the vector to equal just the first values (AV:N). I am trying to extract each part between the slashes (var1= AV:N, var2=AC:P) but am not sure why it's not taking. My props.conf below, any help with the regex or why this may not be working is greatly appreciated!

 

[sourcetype]
EXTRACT-vector = AV:(?<field_trying_to_extract_from>\w+)

[sourcetype]
Eval-vector = case(vector="AV:N", "Network", vector="AV:A", "Adjacent", vector="AV:L", "Local", vector="AV:P", "Physical")

Labels (1)
0 Karma

astackpole
Path Finder

Hmm, that didn't seem to fix the issue. I had been using the following case statements in the UI for dashboard queries as a temporary solution. Is there a way to convert the following into something extractable/usable in props.conf? It seems since eval doesn't take wild characters the case statement won't work the way you mentioned in props.conf until the calculated fields are successfully split by their slashes.

 

| eval vecs=split(field_to_extract_from,"/")
| eval C=mvindex(vecs,5)
| eval I=mvindex(vecs,6)
| eval A=mvindex(vecs,7)
| eval DCO=case(C = "C:H", "High", C="C:M", "Moderate", C="C:L", "Low", C="C:N", "None")

0 Karma

astackpole
Path Finder

I'm also getting this error on restart for the Eval commands if this is helpful as well-
Checking conf files for problems...
Invalid key in stanza
[sourcetype] in /opt/splunk/etc/apps/app/local/props.conf, line 14: Eval-Attack_Vector (value: case(Attack_Vector="AV:N", "Network", Attack_Vector="AV:A")).

0 Karma

richgalloway
SplunkTrust
SplunkTrust

In EXTRACT, the string following "EXTRACT-" is just a label, not a field.  The capture group in the regex specifies the name of the field to extract.  The field to extract FROM is _raw by default or can be specified by the in keyword.

EXTRACT-vector = AV:(?<vector>\w+) in field_trying_to_extract_from

The field name used in the EVAL must match that extracted by EXTRACT.

 

 

---
If this reply helps you, an upvote would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...