Splunk Enterprise

Field extraction help needed: Why are some fields are not getting extracted correctly, only partially?

mbasharat
Contributor

Hi,

I have below sample event. All field values are getting extracted fine using Splunk's auto extraction. However, some fields are not getting extracted correctly and they get extracted partially. These fields are FindingDetails and FindingDescription highlighted below. How can I get auto extraction in place to extract them all using rex OR how can I extract only these two fields at search time with two separate regexes? All fields are seperated by comma in raw event below and all values are encapsulated in double quotes. Feed is setup via DBConnect running SQL against a DB table and data gets in as is. Splunk Enterprise is @ 8.x.

Thanks in advance!!

 

2022-06-21 10:29:05.000, ID="1234567890", System="SAMPLE", GSystem="SAMPLE", Environment="1 PROD", Datasource="SAMPLE", DBMSProduct="ORACLE", FindingType="Fail", SeverityCode="2 HIGH", SeverityScore="8.0", TestID="1234", TestName="SAMPLE", TestDescription="Application users privileges should be restricted to assignments using application user roles. Granting permissions to accounts is error prone and repetitive. Using roles allows for group management of privileges assigned by function and reduces the likelihood of wrongfully assigned privileges. We recommend assigning permissions to roles and then grant the roles to accounts. This test excludes grantees from a predefined Guardium group called "Oracle exclude default system grantees", APEX_%, ANONYMOUS and PUBLIC grantees. It also excludes grantees for tables SAMPLE and SAMPLE, excludes the DBMS_REPCAT_INTERNAL_PACKAGE table and table name like '%RP'. To exclude certain grantees, you can create an exception group, populate it with authorized grantees and link your group to this test.", FindingDescription="Application users privileges are not restricted to assignments using application user roles. Including 205 items present in test detail exceptions.", FindingDetails="The following users have direct privileges on the tables: Grantee = SAMPLE : Privilege = DELETE : Owner = SAMPLE: Object_name = SAMPLE", TestResultID="123456789", RemediationRule="295", RemediationAssignment="TEST", RemediationAnalysis="Finding passes in the Baseline Configuration. Project needs to initiate tickets in coordination with their DBA to remediate. Specifically a Role needs to be created and the permission flagged in this test added to the role, the user should then be granted to the role and the original permission removed from the user. This is a finding even if documented in the XYZ.", RemediationGuidance="Application users privileges should be restricted to assignments using application user roles. We recommend revoking privileges assigned directly to database accounts and assigning them to roles based on job functions. You can use the following command to revoke privileges: revoke <privilege> on <object name> from <user name>; To exclude certain grantees, you can create an exception group, populate it with authorized grantees and link your group to this test.", ExternalReference="STIG_Reference : STIG_SRG", VersionLevel="19", PatchLevel="19.15.0.0.0", Reference="123", VulnerabilityType="PRIV", ScanTimestamp="2022-06-21 06:29:05.0000000", FirstExecution="2022-01-04 06:38:25.0000000", LastExecution="2022-06-21 06:29:56.0000000", CurrentScore="Fail", CurrentScoreSince="2022-01-04 06:38:25.0000000", CurrentScoreDays="168", Account="TEST", AcknowledgedServiceAccount="Yes", SecurityAssessmentName="TEST", CollectorID="123456789045444444", ScanYear="2022", ScanMonth="6", ScanDay="21", ScanCycle="2", Description="TEST", Host="abcdef.sample.net", Port="0000", ServiceName="SAMPLE"

 

Labels (3)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

Your version should work just as well so use either

View solution in original post

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

The reason for partial extraction is that TestDescription appears to have unescaped quotes embedded which is throwing off the extraction. Try these searchtime extractions

| rex "FindingDescription=\"(?<FindingDescription>[^\"]+)"
| rex "FindingDetails=\"(?<FindingDetails>[^\"]+)"

mbasharat
Contributor

Hi @ ITWhisperer,

I did below before your response and it is working. Did I do this correctly or should I use your version of rex?

| rex "FindingDetails=\"(?<FindingDetailsE>[^,]*)\""
| rex "FindingDescription=\"(?<FindingDescriptionE>[^,]*)\""


0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Your version should work just as well so use either

0 Karma
Get Updates on the Splunk Community!

Set Up More Secure Configurations in Splunk Enterprise With Config Assist

This blog post is part 3 of 4 of a series on Splunk Assist. Click the links below to see the other ...

Observability Highlights | November 2022 Newsletter

 November 2022Observability CloudEnd Of Support Extension for SignalFx Smart AgentSplunk is extending the End ...

Enterprise Security Content Update (ESCU) v3.54.0

The Splunk Threat Research Team (STRT) recently released Enterprise Security Content Update (ESCU) v3.54.0 and ...