How to avoid comma separated delimiter being escap...

mayurr98 · ‎05-04-2023

Hello Splunkers,

I have an event like this:

blocked,Adware,ABCD,test.exe,\\program_files\c\Drivers\,,,Generic PUA JB,,Endpoint Protection

I am extracting fields using comma separator delimiter, so my props.conf and transform.conf is:

transforms.conf

[cs_srctype]
CLEAN_KEYS = 0
DELIMS = ,
FIELDS = action,category,dest,file_name,file_path,severity,severity_id,signature,signature_id,vendor_product

props.conf 

[cs_srctype]
KV_MODE = none
REPORT-cs_srctype = cs_srctype

Now the output that I am getting is :

file_path = \\program_files\c\Drivers\,

severity=

severity_id= Generic PUA GB

signature=

signature_id= Endpoint Protection

vendor_product=

All the fields before file_path are getting extracted properly and after file_path are incorrect because it's adding comma and thus not separating properly. how do I ignore the \, and extract the fields properly.

Thank you in advance

danspav · ‎06-04-2023

Hi @mayurr98,

I tried out a new props that looks like it's getting the fields to ingest correctly -

transforms.conf

[cs_srctype]
CLEAN_KEYS = 0
DELIMS = ,
FIELDS = action,category,dest,file_name,file_path,severity,severity_id,signature,signature_id,vendor_product

props.conf 

[cs_srctype]
KV_MODE = none
REPORT-cs_srctype = cs_srctype
SEDCMD=s/^((?:[^,]+,){4}[^,]+)(?<=\\),/\1\\,/

I've only added one additional line in the props - a sedcmd to add an escape to any trailing slash in the file_path segment.

With that config set up, the data is ingested with the correct vendor_product field:

Cheers,
Daniel

How to avoid comma separated delimiter being escaped by backslash in an event?

field extraction

Devesh Logendran, Splunk, and the Singapore Cyber Conquest

There's No Place Like Chrome and the Splunk Platform

Customer Experience | Join the Customer Advisory Board!