Are you a member of the Splunk Community?
- Find Answers
- :
- Premium Solutions
- :
- Splunk Enterprise Security
- :
- need help with multivalue fields for chmod and fin...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
need help with multivalue fields for chmod and find linux commands
Good evening,
I'm having trouble parsing this events as multivalue fields:
Jun 18 01:05:00 : oracle : command not allowed ; TTY=unknown ;
PWD=/export/home/oracle ; USER=grid ; COMMAND=/usr/bin/find
/u01/app/xxxx/diag/tnslsnr/sc02dbclient0201/listener_scan1/alert/log.xml
/u01/app/xxxxx/diag/tnslsnr/sc02dbclient0201/listener_scan1/alert/log_1.xml
/u01/app/xxxxx/diag/tnslsnr/sc02dbclient0201/listener_scan1/alert/log_10.xml
-mtime +30 -exec /usr/bin/rm {} ;
from this, I need to extract the field OBJECT and OBJECT_PATH, to make it CIM compliant, I need to capture all of these lines:
/u01/app/xxxx/diag/tnslsnr/sc02dbclient0201/listener_scan1/alert
/u01/app/xxxxx/diag/tnslsnr/sc02dbclient0201/listener_scan1/alert/log_1
as every OBJECT_PATH value.
and every path that can appear in the event, except the last part, which will be OBJECT:
/log_137.xml
/log_10.xml
/log.xml
So far I have this field extraction for both:
command\snot\sallowed.*\s*.*\/s?bin\/find[\s\S]*?(?<object_path>\/.*)(?<object>\/.*)
it would work great if my events only contained 1 file being "searched", but they can come with more than 128 files and their paths being affected by the find and delete command. I need help to capture these 2 fields as multivalue ones. Please help.
Thanks in advance !
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sorry I forgot to add, I need to be able to put the configuration inside my props, transforms and fields.conf files
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@niketnilay thanks for your answer, the regex I need is something like this:
\s+(?<object_path>\/.*\/)(?<object>[^\s]+)(\s?.+?)+?
where object is:
log.xml, log_1.xml, etc
The regex I put works, but it matches the final RM command, which I don-t need to match, can you please make a regex that matches only the path and object? without the final RM command. Plus, I need the regex to match anyway if the Rm command is not there, I mean, it should match even if the -rm command is not present in the event.
Thanks in advance, I will try your solution !
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@3DGjos, can you try the following regular expression?
| rex "\s+\/(?<object_path>[^\.]+)\.(?<object>\w+)" max_match=0
Following is a run anywhere search:
| makeresults
| eval _raw=" Jun 18 01:05:00 : oracle : command not allowed ; TTY=unknown ;
PWD=/export/home/oracle ; USER=grid ; COMMAND=/usr/bin/find
/u01/app/xxxx/diag/tnslsnr/sc02dbclient0201/listener_scan1/alert/log.xml
/u01/app/xxxxx/diag/tnslsnr/sc02dbclient0201/listener_scan1/alert/log_1.xml
/u01/app/xxxxx/diag/tnslsnr/sc02dbclient0201/listener_scan1/alert/log_10.xml
-mtime +30 -exec /usr/bin/rm {} ;"
| rex "\s+\/(?<object_path>[^\.]+)\.(?<object>\w+)" max_match=0
After testing the same at search time, in order to set this up as configuration, you would need to use fields.conf, props.conf and transforms.conf: Refer to TOKENIZER documentation.
Please try out and confirm!
| makeresults | eval message= "Happy Splunking!!!"
.conf25 Community Recap
Splunk App Developers | .conf25 Recap & What’s Next
Congratulations to the 2025-2026 SplunkTrust!
