Splunk Search

Can I REGEX a string and assign to field?

Path Finder

I have Graylog forwarding Windows events and I use this command in my props.conf to parser

FIELDALIAS-winlogbeat_as_action = winlogbeat_keywords as action

this sets action to the value of winlogbeat_keywords however it is [audit success] and I want to remove the '[]',

I know I can use an EXTRACT and a REGEX expression, but I am guessing that is against the entire messages string and I want to run it on winlogbeat_keywords and\or action

can I do this?

Thanks!

0 Karma

SplunkTrust
SplunkTrust

Hi @pfabrizi,

Yes you can apply regex to specific fields. I have created run anywhere search

| makeresults | eval winlogbeat_keywords="[abc xyz]"
| rex field=winlogbeat_keywords "\[(?<action>.*)\]"

I hope this helps.

Thanks,
Harshil

0 Karma

Path Finder

Will this work in a props.conf or transforms.conf?

0 Karma

SplunkTrust
SplunkTrust

Try this on Search Head

props.conf

[your_sourcetype]
REPORT-fields = actions_extraction

transforms.conf

[actions_extraction]
SOURCE_KEY = winlogbeat_keywords
REGEX = \[(?<action>.*)\]
0 Karma

Path Finder

I add thi line to my props.conf

[graylog:windows]
REPORT-fields = get-action

then in transforms.conf

[get-action]
SOURCEKEY_KEY = winlogbeat_keywords
REGEX = [(?.*)]

it doesn't seem to work.

0 Karma

SplunkTrust
SplunkTrust

While testing this configuration it looks like either you need to extract and index this data in another field at Index time or if you want to use search time extraction then you need to apply regex to _raw data.

Based on answers on https://answers.splunk.com/answers/559858/why-does-a-transforms-report-stanza-have-issues-wi.html REPORT has higher precedence then KV_MODE and it looks like in your case winlogbeat_keywords field extracted by KV_MODE=auto so when you define props and transforms for winlogbeat_keywords field it will not work because that field was not extracted due to higher precedence of REPORT than KV_MODE

I hope this clears your query.

0 Karma

SplunkTrust
SplunkTrust

Also you need to put the regex into the REGEX= field like written above. I See from your config file export that you didn't do that correctly.

REGEX=\[(?<action>.*)\]

0 Karma

Path Finder

so this is not correct?

props.conf.

REPORT-field = get_action

Transform:
[get_action]
SOURCEKEY=winlogbeat_keywords
REGEX = [(?.*)] ------ should this be winlogbeat_keywords?

Thanks!

0 Karma

Path Finder

sorry, it was a type.
I have it as:
REGEX = [(?.*)]

0 Karma

SplunkTrust
SplunkTrust

If you look what @harsmarvania57 and I wrote then you can see the difference.

0 Karma

Path Finder

So can I do this, which is actually what I want to do.
I need to try and match the auto lookups from the splunk_ta_windows into my custom app.
I know we should be using the splunk_ta_windows with the UF, but our operations folks drive what we use for collection,

Thanks!

I need to make [Audit Success] to success or failure...
I see in the SPLUNK_TA_WINDOWS they use a lookup.

LOOKUP-action_for_windows1_security = windows_action_lookup Type OUTPUTNEW action, action AS status
LOOKUP-action_for_windows2_security = windows_action_lookup Type as Keywords OUTPUTNEW action, action AS status

Should I be able to do this in my app? I am trying this:

Props.conf:
LOOKUP-action_for_windows1_security = windows_action_lookup Type OUTPUTNEW action, action AS status
LOOKUP-action_for_windows2_security = windows_action_lookup Type as Keywords OUTPUTNEW action, action AS status

Transforms.conf:
[windows_action_lookup]
filename = windows_actions_graylog.csv

windows_actions_graylog.csv:
Type,action
"audit failure",failure
"Audit Failure",failure
"AUDIT_FAILURE",failure
"failure audit",failure
"Failure Audit",failure
"FAILURE_AUDIT",failure
"audit success",success
"[Audit Success]",success
"AUDIT_SUCCESS",success
"success audit",success
"Success Audit",success
"SUCCESS_AUDIT",success
"success","success"
"failure","failure"

0 Karma