Archive

Parsing of makeresults

Path Finder

I executed the following SPL with makeresults, but the results only give me the fields for _time and _raw... i don't get parsed fields. Can this be solved?

|makeresults count=100|eval _raw="Process Create:
UtcTime: 2017-04-28 22:08:22.025
ProcessGuid: {a23eae89-bd56-5903-0000-0010e9d95e00}
ProcessId: 6228
Image: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
CommandLine: \"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe\" --type=utility --lang=en-US --no-sandbox --service-request-channel-token=F47498BBA884E523FA93E623C4569B94 --mojo-platform-channel-handle=3432 /prefetch:8
CurrentDirectory: C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.81\
User: LAB\rsmith
LogonGuid: {a23eae89-b357-5903-0000-002005eb0700}
LogonId: 0x7EB05
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: SHA256=6055A20CF7EC81843310AD37700FF67B2CF8CDE3DCE68D54BA42934177C10B57
ParentProcessGuid: {a23eae89-bd28-5903-0000-00102f345d00}
ParentProcessId: 13220
ParentImage: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
ParentCommandLine: \"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe\" "
0 Karma

Ultra Champion
|makeresults 
|eval _raw="Process Create:
 UtcTime: 2017-04-28 22:08:22.025
 ProcessGuid: {a23eae89-bd56-5903-0000-0010e9d95e00}
 ProcessId: 6228
 Image: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
 CommandLine: \"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe\" --type=utility --lang=en-US --no-sandbox --service-request-channel-token=F47498BBA884E523FA93E623C4569B94 --mojo-platform-channel-handle=3432 /prefetch:8
 CurrentDirectory: C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.81\
 User: LAB\rsmith
 LogonGuid: {a23eae89-b357-5903-0000-002005eb0700}
 LogonId: 0x7EB05
 TerminalSessionId: 1
 IntegrityLevel: Medium
 Hashes: SHA256=6055A20CF7EC81843310AD37700FF67B2CF8CDE3DCE68D54BA42934177C10B57
 ParentProcessGuid: {a23eae89-bd28-5903-0000-00102f345d00}
 ParentProcessId: 13220
 ParentImage: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
 ParentCommandLine: \"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe\" "
 | rex mode=sed "s/(\\\)/\1\1/g"
 | eval _raw=replace(_raw,"\"","\\\"")
 | rex mode=sed "s/(?m)\/$/\/ /g"
 | rex mode=sed "s/(?m) ?(.+?): (.+)$/\"\1\": \"\2\"/g"
 | rex mode=sed "s/(?m)$/,/g"
 | rex mode=sed "s/^(.+?):.+/{\"\1\":{/1"
 | rex mode=sed "s/,$/}}/1"
 | spath

I do not recommend.

0 Karma

Esteemed Legend

Try this:

|makeresults count=100|eval _raw="Process Create:
UtcTime: 2017-04-28 22:08:22.025
ProcessGuid: {a23eae89-bd56-5903-0000-0010e9d95e00}
ProcessId: 6228
Image: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
CommandLine: \"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe\" --type=utility --lang=en-US --no-sandbox --service-request-channel-token=F47498BBA884E523FA93E623C4569B94 --mojo-platform-channel-handle=3432 /prefetch:8
CurrentDirectory: C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.81\
User: LAB\rsmith
LogonGuid: {a23eae89-b357-5903-0000-002005eb0700}
LogonId: 0x7EB05
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: SHA256=6055A20CF7EC81843310AD37700FF67B2CF8CDE3DCE68D54BA42934177C10B57
ParentProcessGuid: {a23eae89-bd28-5903-0000-00102f345d00}
ParentProcessId: 13220
ParentImage: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
ParentCommandLine: \"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe\""
| rex mode=sed "s/Process Create:.*/'/ s/:\\s+/='/g s/([\\r\\n]+)/'\1/g"
| kv
| table _raw *
0 Karma

SplunkTrust
SplunkTrust

@awmorris

I've tried using rex command. Can you please try below search? I have generated 10 records for testing.

| makeresults count=10 
| eval _raw="Process Create:
 UtcTime: 2017-04-28 22:08:22.025
 ProcessGuid: {a23eae89-bd56-5903-0000-0010e9d95e00}
 ProcessId: 6228
 Image: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
 CommandLine: \"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe\" --type=utility --lang=en-US --no-sandbox --service-request-channel-token=F47498BBA884E523FA93E623C4569B94 --mojo-platform-channel-handle=3432 /prefetch:8
 CurrentDirectory: C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.81\
 User: LAB\rsmith
 LogonGuid: {a23eae89-b357-5903-0000-002005eb0700}
 LogonId: 0x7EB05
 TerminalSessionId: 1 
 IntegrityLevel: Medium
 Hashes: SHA256=6055A20CF7EC81843310AD37700FF67B2CF8CDE3DCE68D54BA42934177C10B57
 ParentProcessGuid: {a23eae89-bd28-5903-0000-00102f345d00}
 ParentProcessId: 13220
 ParentImage: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
 ParentCommandLine: \"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe\" " 
| rex field=_raw "(?<data_field>.+[^:]): (?<data_value>.+[^$])" max_match=0 
| eval num=1,tmp=mvzip(data_field,data_value) 
| accum num 
| stats count by num,tmp | eval data_field=trim(mvindex(split(tmp,","),0)),data_value=trim(mvindex(split(tmp,","),1)), {data_field}=data_value | stats values(*) as * by num | fields - data_field,data_value,num,tmp,count
0 Karma

SplunkTrust
SplunkTrust

Your SPL only creates two fields: _time (via makeresults) and _raw. If you use | makeresults annotate=true you'll also get the host, source,sourcetype, splunk_server, and splunk_server_group fields. The _raw field will not be parsed automatically. it's up to you to do that using such SPL commands as rex, and extract.

---
If this reply helps you, an upvote would be appreciated.
0 Karma

SplunkTrust
SplunkTrust

@richgalloway

I think there is a TYPO in command . It should be |makeresults annotate=true.

0 Karma

SplunkTrust
SplunkTrust

I fixed it.

---
If this reply helps you, an upvote would be appreciated.
0 Karma