Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How do I use delimiter attribute in transforms.conf to extract values for each individual field whose values are enclosed in double quotes ("")?

mohammed7860
Explorer
‎12-16-2016 01:36 PM

Hi:

I have following sample events:

start_time="XXX" end_time="XXX" dest_dns="" dest_mac="" dest_ip="56.00.00.185" cpe="" dest_port_proto="6" dest_port="399" severity="2" signature_id="10001" signature_family="12" signature="The remote host supports the use of SSL ciphers that offer medium strength encryption, which we currently regard as those with key lengths at least 56 bits and less than 112 bits.\n\nNote: This is considerably easier to exploit if the attacker is on the same physical network." exploitAvailable="false" exploitEase="" synopsis="The remote service supports the use of medium strength SSL ciphers." solution="Reconfigure the affected application if possible to avoid use of medium strength ciphers." cve="" netbiosName="XXX" hasBeenMitigated="0" firstSeen="1481797392" lastSeen="1481797392" name="SSL Medium Strength Cipher Suites Supported" cvssVector="XXX" baseScore="4.3" temporalScore=""

How do I use delimiter attribute in transforms.conf to extract values for each individual field whose values are enclosed in ""?

Any help is greatly appreciated.

Mohammed

0 Karma
Reply

bambarit
Explorer
‎07-15-2021 08:29 PM

try this

 

Spoiler
((?:[^\s\|]|(?<=\\)\|)+)=\"((?:\\\=|[^=])*)"
0 Karma
Reply

securityForMe
Engager
‎12-19-2016 02:20 AM

Hi
You can configure your file $SPLUNK_HOME/etc/apps//local/props.conf like this:

[REPORT-Something]
DELIMS = " " (with a space inside)
FIELDS = "filedname1","filedname2","filedname3"

Make sure you restart splunk after change the file, then you can get the keys by split with "=".

0 Karma
Reply

somesoni2
Revered Legend
‎12-16-2016 02:05 PM

These are in standard Key value pair format and Splunk should automatically extract these fields. Have you tried ingesting it to Splunk and checked the default field extractions?

0 Karma
Reply

mohammed7860
Explorer
‎12-16-2016 03:29 PM

The default field extractions don't work. I still see the values within double quotes

0 Karma
Reply

sundareshr
Legend
‎12-16-2016 04:53 PM

Please share the props.conf stanza your are using

0 Karma
Reply
Register for .conf25!
Get Updates on the Splunk Community!

Get Operational Insights Quickly with Natural Language on the Splunk Platform

In today’s fast-paced digital world, turning data into actionable insights is essential for success. With ...

Stay Connected: Your Guide to August Tech Talks, Office Hours, and Webinars!

What are Community Office Hours?Community Office Hours is an interactive 60-minute Zoom series where ...

Unleash the Power of Splunk MCP and AI, Meet Us at .Conf 2025, and Find Even More New ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...
Top