Re: Regex Help

sjangampeta · ‎02-20-2017

Need help in removing double quotes from extracted field value.

EVAL-user = nullif(replace(user, "[^:]+:\s*(.*|\w+\,\s\w+\s{\w+})", "\1"),"")

Sample Log:
2017-02-12 14:02:05,Virus found,Source: Scheduled Scan,Risk name: OSX.Trojan.Gen,Occurrences: 1,/Users/71071190/Downloads/archive_manager.dmg,'',Actual action: Deleted,Requested action: Deleted,Secondary action: Deleted,Event time: 2017-02-08 22:38:17,Inserted: 2017-02-12 20:02:05,End: 2017-02-08 22:38:17,Last update time: 2017-02-12 20:02:05,Domain: North America,Group: My Company\North America\Workstations\Macs,User: "ABCD, XYZ {FGH}",Source computer: ,Source IP: ,Disposition: Good,Download site: null,Web domain: null,Downloaded by: null,Prevalence: Reputation was not used in this detection.,Confidence: Reputation was not used in this detection.,URL Tracking Status: Off,,First Seen: Reputation was not used in this detection.,Sensitivity: Low,MDS,Application hash: ,Hash type: SHA1,Company name: ,Application name: ,Application version: ,Application type: -1,File size (bytes): 0,Category set: Security risk,Category type: UNKNOWN
2017-02-12 14:02:05,Virus found,Source: Scheduled Scan,Risk name: OSX.Trojan.Gen,Occurrences: 1,/Users/71071190/Downloads/archive_manager.dmg,'',Actual action: Deleted,Requested action: Deleted,Secondary action: Deleted,Event time: 2017-02-08 22:38:17,Inserted: 2017-02-12 20:02:05,End: 2017-02-08 22:38:17,Last update time: 2017-02-12 20:02:05,Domain: North America,Group: My Company\North America\Workstations\Macs,User: 12345678,Source computer: ,Source IP: ,Disposition: Good,Download site: null,Web domain: null,Downloaded by: null,Prevalence: Reputation was not used in this detection.,Confidence: Reputation was not used in this detection.,URL Tracking Status: Off,,First Seen: Reputation was not used in this detection.,Sensitivity: Low,MDS,Application hash: ,Hash type: SHA1,Company name: ,Application name: ,Application version: ,Application type: -1,File size (bytes): 0,Category set: Security risk,Category type: UNKNOWN

Extracted values: -
user = 12345678
user= "ABCD, XYZ {FGH}"

somesoni2 · ‎02-20-2017

Why not just do a search time field extraction like this.

props.conf on search head

[yoursourcetype]
EXTRACT-userfield = ,User:\s+\"*(?<user>.+)\"*,Source computer

See regex101 page for validation of regex
https://regex101.com/r/6e4pdb/1

sjangampeta · ‎02-21-2017

our requirement was to update above eval function, so it can extract all user fields. they don't want to add search time field extraction

woodcock · ‎02-20-2017

Like this:

EVAL-user=replace(user, "\"", "")

sjangampeta · ‎02-20-2017

since we already have existing eval-user, where can i add this "\"", "" regex ?

EVAL-user = nullif(replace(user, "[^:]+:\s*(.*|\w+\,\s\w+\s{\w+})", "\1"),"")

woodcock · ‎02-20-2017

You can do 2 passes; put mine after the original.

sjangampeta · ‎02-20-2017

Tried this, but it fails .new user value "ABCD, XYZ {FGH}"s/"/ /g

nullif(replace(user, "[^:]+:\s*(.*|\w+\,\s\w+\s{\w+})\"?", "s/\"/ /g\1"),"")

sjangampeta · ‎02-21-2017

may i know what I'm missing ?
nullif(replace(user, "[^:]+:\s*(.*|\w+\,\s\w+\s{\w+})\"?", "s/\"/ /g\1"),"")

adayton20 · ‎02-20-2017

Try this:

| rex field=user mode=sed "s/\"/ /g"

sjangampeta · ‎02-20-2017

Thank you rex works.
But we don't want to add during search time.

Can I update anything in below calculated field?
EVAL-user = nullif(replace(user, "[^:]+:\s*(.*|\w+\,\s\w+\s{\w+})", "\1"),"")

Regex Help

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

Join the Conversation