Hello Splunkers,
I have an event like this:
blocked,Adware,ABCD,test.exe,\\program_files\c\Drivers\,,,Generic PUA JB,,Endpoint Protection
transforms.conf
[cs_srctype]
CLEAN_KEYS = 0
DELIMS = ,
FIELDS = action,category,dest,file_name,file_path,severity,severity_id,signature,signature_id,vendor_product
props.conf
[cs_srctype]
KV_MODE = none
REPORT-cs_srctype = cs_srctype
Now the output that I am getting is :
file_path = \\program_files\c\Drivers\,
severity=
severity_id= Generic PUA GB
signature=
signature_id= Endpoint Protection
vendor_product=
All the fields before file_path are getting extracted properly and after file_path are incorrect because it's adding comma and thus not separating properly. how do I ignore the \, and extract the fields properly.
Thank you in advance
Hi @mayurr98,
I tried out a new props that looks like it's getting the fields to ingest correctly -
transforms.conf
[cs_srctype]
CLEAN_KEYS = 0
DELIMS = ,
FIELDS = action,category,dest,file_name,file_path,severity,severity_id,signature,signature_id,vendor_product
props.conf
[cs_srctype]
KV_MODE = none
REPORT-cs_srctype = cs_srctype
SEDCMD=s/^((?:[^,]+,){4}[^,]+)(?<=\\),/\1\\,/
I've only added one additional line in the props - a sedcmd to add an escape to any trailing slash in the file_path segment.
With that config set up, the data is ingested with the correct vendor_product field:
Cheers,
Daniel