Knowledge Management

How to avoid comma separated delimiter being escaped by backslash in an event?

mayurr98
Super Champion

Hello Splunkers,

I have an event like this:

 

 

blocked,Adware,ABCD,test.exe,\\program_files\c\Drivers\,,,Generic PUA JB,,Endpoint Protection

 

 

I am extracting fields using comma separator delimiter, so my props.conf and transform.conf is:

 

 

transforms.conf

[cs_srctype]
CLEAN_KEYS = 0
DELIMS = ,
FIELDS = action,category,dest,file_name,file_path,severity,severity_id,signature,signature_id,vendor_product

props.conf 

[cs_srctype]
KV_MODE = none
REPORT-cs_srctype = cs_srctype

 

 

Now the output that I am getting is :

file_path = \\program_files\c\Drivers\,

severity=

severity_id= Generic PUA GB

signature=

signature_id= Endpoint Protection

vendor_product=

All the fields before file_path are getting extracted properly and after file_path are incorrect because it's adding comma and thus not separating properly. how do I ignore the \, and extract the fields properly.

Thank you in advance

Labels (1)
0 Karma

danspav
SplunkTrust
SplunkTrust

Hi @mayurr98,

I tried out a new props that looks like it's getting the fields to ingest correctly - 

transforms.conf

[cs_srctype]
CLEAN_KEYS = 0
DELIMS = ,
FIELDS = action,category,dest,file_name,file_path,severity,severity_id,signature,signature_id,vendor_product

props.conf 

[cs_srctype]
KV_MODE = none
REPORT-cs_srctype = cs_srctype
SEDCMD=s/^((?:[^,]+,){4}[^,]+)(?<=\\),/\1\\,/


I've only added one additional line in the props - a sedcmd to add an escape to any trailing slash in the file_path segment.

With that config set up, the data is ingested with the correct vendor_product field:

danspav_0-1685942678344.png

Cheers,
Daniel

 

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...