Getting Data In

Parsing of makeresults

awmorris
Path Finder

I executed the following SPL with makeresults, but the results only give me the fields for _time and _raw... i don't get parsed fields. Can this be solved?

|makeresults count=100|eval _raw="Process Create:
UtcTime: 2017-04-28 22:08:22.025
ProcessGuid: {a23eae89-bd56-5903-0000-0010e9d95e00}
ProcessId: 6228
Image: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
CommandLine: \"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe\" --type=utility --lang=en-US --no-sandbox --service-request-channel-token=F47498BBA884E523FA93E623C4569B94 --mojo-platform-channel-handle=3432 /prefetch:8
CurrentDirectory: C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.81\
User: LAB\rsmith
LogonGuid: {a23eae89-b357-5903-0000-002005eb0700}
LogonId: 0x7EB05
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: SHA256=6055A20CF7EC81843310AD37700FF67B2CF8CDE3DCE68D54BA42934177C10B57
ParentProcessGuid: {a23eae89-bd28-5903-0000-00102f345d00}
ParentProcessId: 13220
ParentImage: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
ParentCommandLine: \"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe\" "
0 Karma

to4kawa
Ultra Champion
|makeresults 
|eval _raw="Process Create:
 UtcTime: 2017-04-28 22:08:22.025
 ProcessGuid: {a23eae89-bd56-5903-0000-0010e9d95e00}
 ProcessId: 6228
 Image: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
 CommandLine: \"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe\" --type=utility --lang=en-US --no-sandbox --service-request-channel-token=F47498BBA884E523FA93E623C4569B94 --mojo-platform-channel-handle=3432 /prefetch:8
 CurrentDirectory: C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.81\
 User: LAB\rsmith
 LogonGuid: {a23eae89-b357-5903-0000-002005eb0700}
 LogonId: 0x7EB05
 TerminalSessionId: 1
 IntegrityLevel: Medium
 Hashes: SHA256=6055A20CF7EC81843310AD37700FF67B2CF8CDE3DCE68D54BA42934177C10B57
 ParentProcessGuid: {a23eae89-bd28-5903-0000-00102f345d00}
 ParentProcessId: 13220
 ParentImage: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
 ParentCommandLine: \"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe\" "
 | rex mode=sed "s/(\\\)/\1\1/g"
 | eval _raw=replace(_raw,"\"","\\\"")
 | rex mode=sed "s/(?m)\/$/\/ /g"
 | rex mode=sed "s/(?m) ?(.+?): (.+)$/\"\1\": \"\2\"/g"
 | rex mode=sed "s/(?m)$/,/g"
 | rex mode=sed "s/^(.+?):.+/{\"\1\":{/1"
 | rex mode=sed "s/,$/}}/1"
 | spath

I do not recommend.

0 Karma

woodcock
Esteemed Legend

Try this:

|makeresults count=100|eval _raw="Process Create:
UtcTime: 2017-04-28 22:08:22.025
ProcessGuid: {a23eae89-bd56-5903-0000-0010e9d95e00}
ProcessId: 6228
Image: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
CommandLine: \"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe\" --type=utility --lang=en-US --no-sandbox --service-request-channel-token=F47498BBA884E523FA93E623C4569B94 --mojo-platform-channel-handle=3432 /prefetch:8
CurrentDirectory: C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.81\
User: LAB\rsmith
LogonGuid: {a23eae89-b357-5903-0000-002005eb0700}
LogonId: 0x7EB05
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: SHA256=6055A20CF7EC81843310AD37700FF67B2CF8CDE3DCE68D54BA42934177C10B57
ParentProcessGuid: {a23eae89-bd28-5903-0000-00102f345d00}
ParentProcessId: 13220
ParentImage: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
ParentCommandLine: \"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe\""
| rex mode=sed "s/Process Create:.*/'/ s/:\\s+/='/g s/([\\r\\n]+)/'\1/g"
| kv
| table _raw *
0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@awmorris

I've tried using rex command. Can you please try below search? I have generated 10 records for testing.

| makeresults count=10 
| eval _raw="Process Create:
 UtcTime: 2017-04-28 22:08:22.025
 ProcessGuid: {a23eae89-bd56-5903-0000-0010e9d95e00}
 ProcessId: 6228
 Image: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
 CommandLine: \"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe\" --type=utility --lang=en-US --no-sandbox --service-request-channel-token=F47498BBA884E523FA93E623C4569B94 --mojo-platform-channel-handle=3432 /prefetch:8
 CurrentDirectory: C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.81\
 User: LAB\rsmith
 LogonGuid: {a23eae89-b357-5903-0000-002005eb0700}
 LogonId: 0x7EB05
 TerminalSessionId: 1 
 IntegrityLevel: Medium
 Hashes: SHA256=6055A20CF7EC81843310AD37700FF67B2CF8CDE3DCE68D54BA42934177C10B57
 ParentProcessGuid: {a23eae89-bd28-5903-0000-00102f345d00}
 ParentProcessId: 13220
 ParentImage: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
 ParentCommandLine: \"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe\" " 
| rex field=_raw "(?<data_field>.+[^:]): (?<data_value>.+[^$])" max_match=0 
| eval num=1,tmp=mvzip(data_field,data_value) 
| accum num 
| stats count by num,tmp | eval data_field=trim(mvindex(split(tmp,","),0)),data_value=trim(mvindex(split(tmp,","),1)), {data_field}=data_value | stats values(*) as * by num | fields - data_field,data_value,num,tmp,count
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Your SPL only creates two fields: _time (via makeresults) and _raw. If you use | makeresults annotate=true you'll also get the host, source,sourcetype, splunk_server, and splunk_server_group fields. The _raw field will not be parsed automatically. it's up to you to do that using such SPL commands as rex, and extract.

---
If this reply helps you, Karma would be appreciated.
0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@richgalloway

I think there is a TYPO in command . It should be |makeresults annotate=true.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

I fixed it.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...