@richgalloway Hi,

Instead of using SEDCMD-rm can we use like this ?

REGEX = cs4=(\w+) cs4Label=([\s]+)
FORMAT = $2::$1

eg: cs4= will smith
cs4Label=suser display name

Thanks..

That's an intriguing idea.  I think it would work except for the matter of the cs4Label value contains embedded spaces.  Field names with spaces can be a problem in Splunk.

Hi @richgalloway ,

Could you pls write the sed command to remove the space between the field names.

Thanks..

I don't have a SEDCMD that would do that well.  SEDCMD applies to _raw rather than individual fields so a regex would have to be very specific to avoid removing too many spaces or otherwise damaging other fields.

Hi@richgalloway ,
I've heard that the field name removal isn't feasible while we're receiving logs from the syslog server. Is that correct to your knowledge?
Thanks

I think that would depend on how the syslog data is received, but I believe it's still possible.

...

It should be done with two SEDCMD statements since the fields may not be next to each other.

SEDCMD-no_cs4 = s/cs4=.*?(\w+=)|$/\1/
SEDCMD-no_cs4Label = s/cs4Label=.*?(\w+=)|$/\1/
SEDCMD-no_cs3 = s/cs3=.*//
SEDCMD-no_cs3Label = s/cs3Label=.*?(\w+=)|$/\1/

I've also assumed the cs3 field is always last, but that may be erroneous..

Hi @richgalloway ,

Pls help me in extracting  the fields from the details value i.e approved=xyz, from=11/17/2023 06:22 AM , until =11/18/2023 12:00 AM, it should not be the event specific !

Details: Approved xyz from 11/17/2023 06:22 AM until 11/18/2023 12:00 AM.  

Thanks

In case the field may be in a different order, use multiple rex commands to extract them.

| rex "approved=(?<approved>[^,]+)"
| rex "from=(?<from>[^,]+)"
| rex "until =(?<until>[^,]+)"

I hope you see the pattern.

@richgalloway ,

How we can correlate data across different languages or datasets.

For the specific case of merging "Approuvé" (French) and "Approved" (English) fields..

 english :    Approved Sachin tendulakr from 11/25/2023 07:03 AM until 11/25/2023 03:03 PM. 

 french : Approuvé - Approuvé Salmon du 11/23/2023 02:10 PM au 12/23/2023 02:10 PM . 

English           French

Approved     Approuvé

from                du

until                au

Thanks

Any time multiple words are used for the same meaning, whether in different languages or the same language, they should be normalized before use.   I like to use the case function for that.

| eval status=case(status="Approved" OR status="Approuvé", "Approved",
                   1==1, "Denied")

 As for separator words in different languages, just incorporate them into your regex

| rex "(from|du) (?<from_time>.+?) (until|au) (?<until_time>.+"

@richgalloway @inventsekar ,

Could you pls help me in extracting the fields from below events .

2023-12-05 07:57:02,995 [CID:] [C:] [TID:PriorityScheduler Elastic Thread @ Normal] VERBOSE Thycotic.Discovery.Sources.Scanners.PowershellDiscoveryScanner - Value: xxx.com - (null)
2023-12-05 07:57:02,991 [CID:] [C:] [TID:PriorityScheduler Elastic Thread @ Normal] VERBOSE Thycotic.Discovery.Sources.Scanners.PowershellDiscoveryScanner - Name: xxx - (null)
2023-12-05 07:57:02,986 [CID:] [C:] [TID:PriorityScheduler Elastic Thread @ Normal] VERBOSE 

We've been through this exercise several times now.  Show us what you've learned.  What have you tried as a means of extracting fields from those events?  What were the results?  Have you at least identified what fields must be extracted?

Looks good to me.  Of course, change "mysourcetype" to the actual sourcetype name.

Hello @richgalloway,

• What is the difference between KV_Mode=auto and KV_Mode=none.
• Add-on builder is not supported in splunk cloud,how we can build the app in windows?

Thanks..

1. KV_MODE=auto means Splunk will automatically extract fields when it finds data in key=value format.  KV_MODE=none means Splunk disables search-time extraction of the host, source, and sourcetype fields.  This can be useful if you extract these fields yourself.
2. The add-on builder must be used in a local, non-clustered instance.  It should work on Windows, but I've not done so myself.  Apps built on a Windows platform will not pass Splunk Cloud app vetting because Windows does not set the file permissions correctly.

...

Please identify the user and domain fields in each event and I'll try to help you extract them.

@richgalloway ,

How we can exclude these cs2,Cs2label fields using the sed command in props.
Thanks.