Getting Data In

Parsing of makeresults

awmorris
Path Finder

I executed the following SPL with makeresults, but the results only give me the fields for _time and _raw... i don't get parsed fields. Can this be solved?

|makeresults count=100|eval _raw="Process Create:
UtcTime: 2017-04-28 22:08:22.025
ProcessGuid: {a23eae89-bd56-5903-0000-0010e9d95e00}
ProcessId: 6228
Image: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
CommandLine: \"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe\" --type=utility --lang=en-US --no-sandbox --service-request-channel-token=F47498BBA884E523FA93E623C4569B94 --mojo-platform-channel-handle=3432 /prefetch:8
CurrentDirectory: C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.81\
User: LAB\rsmith
LogonGuid: {a23eae89-b357-5903-0000-002005eb0700}
LogonId: 0x7EB05
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: SHA256=6055A20CF7EC81843310AD37700FF67B2CF8CDE3DCE68D54BA42934177C10B57
ParentProcessGuid: {a23eae89-bd28-5903-0000-00102f345d00}
ParentProcessId: 13220
ParentImage: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
ParentCommandLine: \"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe\" "
0 Karma

to4kawa
Ultra Champion
|makeresults 
|eval _raw="Process Create:
 UtcTime: 2017-04-28 22:08:22.025
 ProcessGuid: {a23eae89-bd56-5903-0000-0010e9d95e00}
 ProcessId: 6228
 Image: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
 CommandLine: \"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe\" --type=utility --lang=en-US --no-sandbox --service-request-channel-token=F47498BBA884E523FA93E623C4569B94 --mojo-platform-channel-handle=3432 /prefetch:8
 CurrentDirectory: C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.81\
 User: LAB\rsmith
 LogonGuid: {a23eae89-b357-5903-0000-002005eb0700}
 LogonId: 0x7EB05
 TerminalSessionId: 1
 IntegrityLevel: Medium
 Hashes: SHA256=6055A20CF7EC81843310AD37700FF67B2CF8CDE3DCE68D54BA42934177C10B57
 ParentProcessGuid: {a23eae89-bd28-5903-0000-00102f345d00}
 ParentProcessId: 13220
 ParentImage: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
 ParentCommandLine: \"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe\" "
 | rex mode=sed "s/(\\\)/\1\1/g"
 | eval _raw=replace(_raw,"\"","\\\"")
 | rex mode=sed "s/(?m)\/$/\/ /g"
 | rex mode=sed "s/(?m) ?(.+?): (.+)$/\"\1\": \"\2\"/g"
 | rex mode=sed "s/(?m)$/,/g"
 | rex mode=sed "s/^(.+?):.+/{\"\1\":{/1"
 | rex mode=sed "s/,$/}}/1"
 | spath

I do not recommend.

0 Karma

woodcock
Esteemed Legend

Try this:

|makeresults count=100|eval _raw="Process Create:
UtcTime: 2017-04-28 22:08:22.025
ProcessGuid: {a23eae89-bd56-5903-0000-0010e9d95e00}
ProcessId: 6228
Image: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
CommandLine: \"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe\" --type=utility --lang=en-US --no-sandbox --service-request-channel-token=F47498BBA884E523FA93E623C4569B94 --mojo-platform-channel-handle=3432 /prefetch:8
CurrentDirectory: C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.81\
User: LAB\rsmith
LogonGuid: {a23eae89-b357-5903-0000-002005eb0700}
LogonId: 0x7EB05
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: SHA256=6055A20CF7EC81843310AD37700FF67B2CF8CDE3DCE68D54BA42934177C10B57
ParentProcessGuid: {a23eae89-bd28-5903-0000-00102f345d00}
ParentProcessId: 13220
ParentImage: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
ParentCommandLine: \"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe\""
| rex mode=sed "s/Process Create:.*/'/ s/:\\s+/='/g s/([\\r\\n]+)/'\1/g"
| kv
| table _raw *
0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@awmorris

I've tried using rex command. Can you please try below search? I have generated 10 records for testing.

| makeresults count=10 
| eval _raw="Process Create:
 UtcTime: 2017-04-28 22:08:22.025
 ProcessGuid: {a23eae89-bd56-5903-0000-0010e9d95e00}
 ProcessId: 6228
 Image: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
 CommandLine: \"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe\" --type=utility --lang=en-US --no-sandbox --service-request-channel-token=F47498BBA884E523FA93E623C4569B94 --mojo-platform-channel-handle=3432 /prefetch:8
 CurrentDirectory: C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.81\
 User: LAB\rsmith
 LogonGuid: {a23eae89-b357-5903-0000-002005eb0700}
 LogonId: 0x7EB05
 TerminalSessionId: 1 
 IntegrityLevel: Medium
 Hashes: SHA256=6055A20CF7EC81843310AD37700FF67B2CF8CDE3DCE68D54BA42934177C10B57
 ParentProcessGuid: {a23eae89-bd28-5903-0000-00102f345d00}
 ParentProcessId: 13220
 ParentImage: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
 ParentCommandLine: \"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe\" " 
| rex field=_raw "(?<data_field>.+[^:]): (?<data_value>.+[^$])" max_match=0 
| eval num=1,tmp=mvzip(data_field,data_value) 
| accum num 
| stats count by num,tmp | eval data_field=trim(mvindex(split(tmp,","),0)),data_value=trim(mvindex(split(tmp,","),1)), {data_field}=data_value | stats values(*) as * by num | fields - data_field,data_value,num,tmp,count
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Your SPL only creates two fields: _time (via makeresults) and _raw. If you use | makeresults annotate=true you'll also get the host, source,sourcetype, splunk_server, and splunk_server_group fields. The _raw field will not be parsed automatically. it's up to you to do that using such SPL commands as rex, and extract.

---
If this reply helps you, Karma would be appreciated.
0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@richgalloway

I think there is a TYPO in command . It should be |makeresults annotate=true.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

I fixed it.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...