Getting Data In

DB Connect KEY=VALUE Extraction Fail

cdstealer
Contributor

Hi,  I'm struggling to get a complete extraction on any fields that contain double quotes.

The payload:

2021-05-25 07:59:04.000, auditId="17864172953", groups_groupId="4639", groupName="some group name", people_personId="625841", users_userId="152321", userLogin="field-removed", userStaffFlag="false", auditIP="111.222.333.444", auditMod="Module", auditMessage="Module: "mod1" is not present in a check, Module: "mod2" is not present in a check, Module: "mod3" is not present in a check, Module: "mod4" is not present in a check, Module: "mod5" is not present in a check, Module: "mod6" is not present in a check, Module: "mod7" is not present in a check, Module: "mod8" is not present in a check, Module: "mod9" is not present in a check, Module: "mod10" is not present in a check", auditDate="2021-05-25 07:59:04.0", auditType="info", auditRID="88827e1f-d157-46d5-b1b4-20b91d4440a4", auditMicroSeconds="0.0000"

In this example, it's the "auditMessage" key that will not extract completely and stops at the first "Module: "<--

The REGEX (\w+)="(.*?)" Gets me most of the way there (regx101), but doesn't work in splunk.

My Fu has failed me.

Labels (3)
Tags (2)
0 Karma
1 Solution

cdstealer
Contributor

So after a little more reading, this is a known issue with DBConnect.  The official work around is to use KV_MODE and then apply a search time extraction for the problematic fields.

auditMessage="(?P<auditMessage>.+?)",

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

Would you believe you're only missing a comma?  This works in regex101.com

(\w+)="(.*?)",
---
If this reply helps you, an upvote would be appreciated.
0 Karma

cdstealer
Contributor

HI Rich,  Thanks for the response.  I had already done that, works in reg101 but not in splunk

I've also come up with (?:([\w+]+)=(?:\")(.+?)(?:\",\s|\"$)) which does exactly what I want on reg101 , but again doesn't work the same in Splunk.

0 Karma

cdstealer
Contributor

So after a little more reading, this is a known issue with DBConnect.  The official work around is to use KV_MODE and then apply a search time extraction for the problematic fields.

auditMessage="(?P<auditMessage>.+?)",

View solution in original post

Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!