All Apps and Add-ons

Field Extractions Not Working in props.conf - Split Field by slashes

astackpole
Path Finder

I have a field I am trying to split into new fields and it's not taking. The strings look similar to this- "AV:N/AC:P/PR:X" and I'm trying to extract the vector to equal just the first values (AV:N). I am trying to extract each part between the slashes (var1= AV:N, var2=AC:P) but am not sure why it's not taking. My props.conf below, any help with the regex or why this may not be working is greatly appreciated!

 

[sourcetype]
EXTRACT-vector = AV:(?<field_trying_to_extract_from>\w+)

[sourcetype]
Eval-vector = case(vector="AV:N", "Network", vector="AV:A", "Adjacent", vector="AV:L", "Local", vector="AV:P", "Physical")

Labels (1)
0 Karma

astackpole
Path Finder

Hmm, that didn't seem to fix the issue. I had been using the following case statements in the UI for dashboard queries as a temporary solution. Is there a way to convert the following into something extractable/usable in props.conf? It seems since eval doesn't take wild characters the case statement won't work the way you mentioned in props.conf until the calculated fields are successfully split by their slashes.

 

| eval vecs=split(field_to_extract_from,"/")
| eval C=mvindex(vecs,5)
| eval I=mvindex(vecs,6)
| eval A=mvindex(vecs,7)
| eval DCO=case(C = "C:H", "High", C="C:M", "Moderate", C="C:L", "Low", C="C:N", "None")

0 Karma

astackpole
Path Finder

I'm also getting this error on restart for the Eval commands if this is helpful as well-
Checking conf files for problems...
Invalid key in stanza
[sourcetype] in /opt/splunk/etc/apps/app/local/props.conf, line 14: Eval-Attack_Vector (value: case(Attack_Vector="AV:N", "Network", Attack_Vector="AV:A")).

0 Karma

richgalloway
SplunkTrust
SplunkTrust

In EXTRACT, the string following "EXTRACT-" is just a label, not a field.  The capture group in the regex specifies the name of the field to extract.  The field to extract FROM is _raw by default or can be specified by the in keyword.

EXTRACT-vector = AV:(?<vector>\w+) in field_trying_to_extract_from

The field name used in the EVAL must match that extracted by EXTRACT.

 

 

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...