Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do I use delimiter attribute in transforms.conf to extract values for each individual field whose values are enclosed in double quotes ("")?

mohammed7860
Explorer
‎12-16-2016 01:36 PM

Hi:

I have following sample events:

start_time="XXX" end_time="XXX" dest_dns="" dest_mac="" dest_ip="56.00.00.185" cpe="" dest_port_proto="6" dest_port="399" severity="2" signature_id="10001" signature_family="12" signature="The remote host supports the use of SSL ciphers that offer medium strength encryption, which we currently regard as those with key lengths at least 56 bits and less than 112 bits.\n\nNote: This is considerably easier to exploit if the attacker is on the same physical network." exploitAvailable="false" exploitEase="" synopsis="The remote service supports the use of medium strength SSL ciphers." solution="Reconfigure the affected application if possible to avoid use of medium strength ciphers." cve="" netbiosName="XXX" hasBeenMitigated="0" firstSeen="1481797392" lastSeen="1481797392" name="SSL Medium Strength Cipher Suites Supported" cvssVector="XXX" baseScore="4.3" temporalScore=""

How do I use delimiter attribute in transforms.conf to extract values for each individual field whose values are enclosed in ""?

Any help is greatly appreciated.

Mohammed

0 Karma
Reply

bambarit
Explorer
‎07-15-2021 08:29 PM

try this

 

Spoiler
((?:[^\s\|]|(?<=\\)\|)+)=\"((?:\\\=|[^=])*)"
0 Karma
Reply

securityForMe
Engager
‎12-19-2016 02:20 AM

Hi
You can configure your file $SPLUNK_HOME/etc/apps//local/props.conf like this:

[REPORT-Something]
DELIMS = " " (with a space inside)
FIELDS = "filedname1","filedname2","filedname3"

Make sure you restart splunk after change the file, then you can get the keys by split with "=".

0 Karma
Reply

somesoni2
Revered Legend
‎12-16-2016 02:05 PM

These are in standard Key value pair format and Splunk should automatically extract these fields. Have you tried ingesting it to Splunk and checked the default field extractions?

0 Karma
Reply

mohammed7860
Explorer
‎12-16-2016 03:29 PM

The default field extractions don't work. I still see the values within double quotes

0 Karma
Reply

sundareshr
Legend
‎12-16-2016 04:53 PM

Please share the props.conf stanza your are using

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk APM & RUM | Upcoming Planned Maintenance

There will be planned maintenance of the streaming infrastructure for Splunk APM and Splunk RUM in the coming ...

Part 2: Diving Deeper With AIOps

Getting the Most Out of Event Correlation and Alert Storm Detection in Splunk IT Service Intelligence   Watch ...

User Groups | Upcoming Events!

If by chance you weren't already aware, the Splunk Community is host to numerous User Groups, organized ...