Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Key-value pair extraction

jkloet
Explorer
‎11-23-2011 08:42 AM

Given the event (output from Cisco ASA 'show vpn-sessiondb full svc' command)...

Session ID: 33397 | EasyVPN: 0 | Username: user@company.com | Group: VPN-User | Tunnel Group: WebVPN-AD-Authentication | IP Addr: 192.168.1.1 | Public IP: 184.151.1.1 | Protocol: Clientless SSL-Tunnel DTLS-Tunnel | License: SSL VPN | Session Subtype: With client | Encryption: RC4 AES128 | Login Time: 15:35:44 EST Tue Nov 22 2011 | Duration: 0h:00m:35s | Inactivity: 0h:00m:00s | Bytes Tx: 20277 | Bytes Rx: 19574 | NAC Result: Unknown | Posture Token: | VLAN Mapping: N/A | VLAN: 0 ||

... I am able to extract the key-value pairs using:

**props.conf
[vpnsessiondata]

DATETIME_CONFIG=CURRENT

REPORT-sessiondata=sessiondata

**transforms.conf

[sessiondata]

DELIMS = "|", ":"

The problem during searches is that a field is ignored if the character delimiting the key from the value (":" in this case) is also contained within the value (any time value for instance).

How can I deal with this?

Thanks! Jeff

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

_d_
Splunk Employee
Splunk Employee
‎11-23-2011 10:04 AM

OK, in that case then try something like this using your transforms stanza:

transforms.conf
[sessiondata]
REGEX = ([^\|]+):\s([^\|]+)
FORMAT = $1::$2

REGEX reads "anything that is not a pipe, followed by a colon, followed by a space, followed by a pipe, followed by anything that is not a pipe.

Hope this helps.

> please upvote and accept answer if you find it useful - thanks!

View solution in original post

Reply
Solved! Jump to solution
Solution

_d_
Splunk Employee
Splunk Employee
‎11-23-2011 10:04 AM

OK, in that case then try something like this using your transforms stanza:

transforms.conf
[sessiondata]
REGEX = ([^\|]+):\s([^\|]+)
FORMAT = $1::$2

REGEX reads "anything that is not a pipe, followed by a colon, followed by a space, followed by a pipe, followed by anything that is not a pipe.

Hope this helps.

> please upvote and accept answer if you find it useful - thanks!

Reply
Solved! Jump to solution

jkloet
Explorer
‎11-23-2011 10:40 AM

That works as needed... thanks!! Jeff

0 Karma
Reply
Solved! Jump to solution

_d_
Splunk Employee
Splunk Employee
‎11-23-2011 09:35 AM

Not sure whether this will work, but give it a try.

transforms.conf
[sessiondata]
DELIMS = "|", ": "

Notice the space after : in DELIMS

Hope this helps.

> please upvote and accept answer if you find it useful - thanks!

0 Karma
Reply
Solved! Jump to solution

jkloet
Explorer
‎11-23-2011 09:47 AM

That would be nice however the documentation says:

[multiple_delims]
DELIMS = "|;", "=:"

*The above example extracts key-value pairs which are separated by '|' or ';'.
*while the key is delimited from value by '=' or ':'.

0 Karma
Reply
Solved! Jump to solution

tpsplunk
Communicator
‎11-23-2011 09:30 AM

I don't think you can use DELIMS to do this because as you've noted it doesn't work well when one of your delimiters shows up in a key or value field. I had to solve this by using a REGEX instead, see: http://splunk-base.splunk.com/answers/34550/help-with-regex-to-separate-keyvalue-pairs-with-a-charac...

in your case you would want to craft a regex that captures into two capture groups, group 1 is the key and group 2 is the value.

REGEX = To be created
FORMAT = $1::$2

i will try to figure out the regex, but my regex-fu is of a medium level so hopefully someone will beat me to it.

Reply
Get Updates on the Splunk Community!

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...

Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...

Combine multiline logs into a single event with SOCK - a step-by-step guide for newbies Olga Malita The ...