Archive
Highlighted

Regex Help

New Member

Need help in removing double quotes from extracted field value.

EVAL-user = nullif(replace(user, "[^:]+:\s(.|\w+\,\s\w+\s{\w+})", "\1"),"")

Sample Log:
2017-02-12 14:02:05,Virus found,Source: Scheduled Scan,Risk name: OSX.Trojan.Gen,Occurrences: 1,/Users/71071190/Downloads/archivemanager.dmg,'',Actual action: Deleted,Requested action: Deleted,Secondary action: Deleted,Event time: 2017-02-08 22:38:17,Inserted: 2017-02-12 20:02:05,End: 2017-02-08 22:38:17,Last update time: 2017-02-12 20:02:05,Domain: North America,Group: My Company\North America\Workstations\Macs,User: "ABCD, XYZ {FGH}",Source computer: ,Source IP: ,Disposition: Good,Download site: null,Web domain: null,Downloaded by: null,Prevalence: Reputation was not used in this detection.,Confidence: Reputation was not used in this detection.,URL Tracking Status: Off,,First Seen: Reputation was not used in this detection.,Sensitivity: Low,MDS,Application hash: ,Hash type: SHA1,Company name: ,Application name: ,Application version: ,Application type: -1,File size (bytes): 0,Category set: Security risk,Category type: UNKNOWN
2017-02-12 14:02:05,Virus found,Source: Scheduled Scan,Risk name: OSX.Trojan.Gen,Occurrences: 1,/Users/71071190/Downloads/archive
manager.dmg,'',Actual action: Deleted,Requested action: Deleted,Secondary action: Deleted,Event time: 2017-02-08 22:38:17,Inserted: 2017-02-12 20:02:05,End: 2017-02-08 22:38:17,Last update time: 2017-02-12 20:02:05,Domain: North America,Group: My Company\North America\Workstations\Macs,User: 12345678,Source computer: ,Source IP: ,Disposition: Good,Download site: null,Web domain: null,Downloaded by: null,Prevalence: Reputation was not used in this detection.,Confidence: Reputation was not used in this detection.,URL Tracking Status: Off,,First Seen: Reputation was not used in this detection.,Sensitivity: Low,MDS,Application hash: ,Hash type: SHA1,Company name: ,Application name: ,Application version: ,Application type: -1,File size (bytes): 0,Category set: Security risk,Category type: UNKNOWN

Extracted values: -
user = 12345678
user= "ABCD, XYZ {FGH}"

Tags (1)
0 Karma
Highlighted

Re: Regex Help

Contributor

Try this:

| rex field=user mode=sed "s/\"/ /g"
0 Karma
Highlighted

Re: Regex Help

New Member

Thank you rex works.
But we don't want to add during search time.

Can I update anything in below calculated field?
EVAL-user = nullif(replace(user, "[^:]+:\s(.|\w+\,\s\w+\s{\w+})", "\1"),"")

0 Karma
Highlighted

Re: Regex Help

Esteemed Legend

Like this:

EVAL-user=replace(user, "\"", "")
0 Karma
Highlighted

Re: Regex Help

New Member

since we already have existing eval-user, where can i add this "\"", "" regex ?

EVAL-user = nullif(replace(user, "[^:]+:\s(.|\w+\,\s\w+\s{\w+})", "\1"),"")

0 Karma
Highlighted

Re: Regex Help

Esteemed Legend

You can do 2 passes; put mine after the original.

0 Karma
Highlighted

Re: Regex Help

New Member

Tried this, but it fails .new user value "ABCD, XYZ {FGH}"s/"/ /g

nullif(replace(user, "[^:]+:\s(.|\w+\,\s\w+\s{\w+})\"?", "s/\"/ /g\1"),"")

0 Karma
Highlighted

Re: Regex Help

New Member

may i know what I'm missing ?
nullif(replace(user, "[^:]+:\s(.|\w+\,\s\w+\s{\w+})\"?", "s/\"/ /g\1"),"")

0 Karma
Highlighted

Re: Regex Help

SplunkTrust
SplunkTrust

Why not just do a search time field extraction like this.

props.conf on search head

[yoursourcetype]
EXTRACT-userfield = ,User:\s+\"*(?<user>.+)\"*,Source computer

See regex101 page for validation of regex
https://regex101.com/r/6e4pdb/1

0 Karma
Highlighted

Re: Regex Help

New Member

our requirement was to update above eval function, so it can extract all user fields. they don't want to add search time field extraction

0 Karma