Other Usage

How to build fields?

mauriziotarducc
Loves-to-Learn

Hello 

Having log like : 

<182>Mar 1 18:18:24 SND1 Policy Manager severity=Info saf=1 safd=RACF record=Mar 1 13:17:31 SND1 baspm[67174579]: Compliance Failure='Sensitive Dataset=USS.SND2.VAR resides on z/OS shared DASD volume=SN2U01 but is not part of SPM dataset filter=SHRD' [DS33795]

i would extract the fields :

SND1 as LPAR  field

[DS33795] ad DISANUM field

'Sensitive Dataset=USS.SND2.VAR resides on z/OS shared DASD volume=SN2U01 but is not part of SPM dataset filter=SHRD' as DESCRIPTION field 

Can you help me writing the regex ?

i started to write the following

"Compliance Failure" sourcetype="AMI SPM" | rex field=_raw "^(?:[^:\n]*:){2}\d+(?P<LPAR>\s+\w+)(?:[^\[\n]*\[){2}(?P<DISANUM>\w+)" offset_field=_extracted_fields_bounds | stats count by DISANUM

but i m not able to get the string after Compliance Failure  into the field DDESCRIPTION

Thanks in advance 

Maurizio

Labels (1)
0 Karma

mauriziotarducc
Loves-to-Learn

Hello i did the following and now is ok 

"Compliance Failure" | rex "Compliance Failure='(?<DESCRIPTION>[^']*)'\s*\[(?<DISANUM>[^\]]+)\]"

Regards

Maurizio

0 Karma

mauriziotarducc
Loves-to-Learn

Hello good morning 

executing your new rex what i have is :

 123/03/23 13:23:52,425
{ [-]
   Cat: Policy Manager
   HostName: SND1
   Record: Mar 23 09:23:52 SND1 baspm[33620189]: Compliance Failure='Port=23 included in configuration for TN3270 is not as defined in the Ports, Protocols, and Services Management (PPSM) Category Assurance List (CAL) and vulnerability assessments' [DS223821]
   SAF: 1
   SAFD: RACF
   Severity: Info
   Time: 2023-03-23T13:23:52.425

}

 

But not Description and DISANUM . 

Maurizio

0 Karma

bowesmana
SplunkTrust
SplunkTrust

If you have done spath and have a field following the spath called Record, then the rex should work, but if you don't have a field called Record because that field is not extracted, then it won't. Your rex is looking at the entire _raw field.

 

0 Karma

bowesmana
SplunkTrust
SplunkTrust

Try this

| rex field=_raw "^.*?(\d+:){2}\d+(?P<LPAR>\s+\w+).*Compliance Failure='(?<DESCRIPTION>[^']*)'\s+\[(?P<DISANUM>\w+)" offset_field=extracted_fields_bounds

 

0 Karma

mauriziotarducc
Loves-to-Learn

Thanks 

i have another request :

i have the a text like (JSON Format)  : 

{"Time": "2023-03-23T13:23:50.551", "HostName": "SND1", "Cat": "Policy Manager", "Severity": "Info", "SAF": 1, "SAFD": "RACF", "Record": "Mar 23 09:23:49 SND1 baspm[33620189]: Compliance Failure='PASSWORD(INTERVAL) for UserId=ZSX110 should be 60 days. It is currently set to 120' [DS223718]"} 

i would like to have DESCRIPTION fileld based on "Complaince Failure" and DISANUM based on the content of [ and ]  character at the end of the string (in the above example the DISANUM is [DS223718] .

Thanks in advance 

Maurizio 

0 Karma

bowesmana
SplunkTrust
SplunkTrust

In general, if it's a new question requiring a new answer, please ask it in a new question rather than using an already answered question, so others can help out 

If your JSON is already auto extracted then do only the rex statement, otherwise use spath to extract the JSON from the raw event

| spath
| rex field=Record "[^\]]*\]: (?<DESCRIPTION>[^=]*).*\[(?<DISANUM>\w+)"

 

0 Karma

mauriziotarducc
Loves-to-Learn

Hello thanks 

ok partially worked because 

for the filed DESCRIPTION i just have Compliance Failure i shout have :

DESCRIPTION = 'Port=23 included in configuration for TN3270 is not as defined in the Ports, Protocols, and Services Management (PPSM) Category Assurance List (CAL) and vulnerability assessments'

can yu help me ? 

Maurizio

0 Karma

mauriziotarducc
Loves-to-Learn

or better based on the last example :

DESCRIPTION = 'PASSWORD(INTERVALfor UserId=ZSX110 should be 60 days. It is currently set to 120'

thanks 

Maurizio

0 Karma

bowesmana
SplunkTrust
SplunkTrust

Sorry - correct rex here

| rex field=Record "[^\]]*\]:\s+Compliance Failure='(?<DESCRIPTION>[^']*).*\[(?<DISANUM>\w+)"

It assumes the description is surrounded by single quote characters

0 Karma
Get Updates on the Splunk Community!

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...

Explore the Latest Educational Offerings from Splunk [January 2025 Updates]

At Splunk Education, we are committed to providing a robust learning experience for all users, regardless of ...

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...