Splunk Search

Can you help me with a regex field extraction?

PanIrosha
Path Finder

Hi All,

i have installed and configured "Cisco AMP for Endpoints" in our search head. Currently, it's forwarding all the logs to an index called "Cisco-AMP". I can see all events coming in. There is a field called "event.computer.user" this store email address of the user. i need to extract just the user name from this field and add it to another field called "User".

The following Regex does that perfectly when i run it on the search bar.

index=amp | rex field=event.computer.user "(?<user>[^@]+)"

But i need this extraction to work permanently. So i created a field extraction by taking the below steps. Then I restarted Splunk services. But i can't see the new field when i search for the Cisco amp events in the search app. Am i doing anything wrong here ?

Settings > Fields > Filed Extraction >

Destination App: Cisco-AMPEvents
Name: User_field_extract
Sourcetype: cisco:amp:event
Type: inline
Extraction and Transform: field=event.computer.user "(?<user>[^@]+)"
App Permission: Global

Thank you in advance.

0 Karma
1 Solution

PanIrosha
Path Finder

hi @kamlesh_vaghela

i think its working now.

Step 1: i have created a regex based field transform with following settings.

Name: field_extraction_for_user
Type: RegEx Based
RegEx:(?[^@]+)
App: Cisco_AMP
Source Key: event.computer.user

Step 2: then i have created a field extraction.

App: Cisco_AMP
Name: User_Extraction
SourceType: Cisco:AMP
Type: Uses transform
Extraction/Transform: "name of the field transform above"

Thank you very much for your help.

View solution in original post

0 Karma

PanIrosha
Path Finder

hi @kamlesh_vaghela

i think its working now.

Step 1: i have created a regex based field transform with following settings.

Name: field_extraction_for_user
Type: RegEx Based
RegEx:(?[^@]+)
App: Cisco_AMP
Source Key: event.computer.user

Step 2: then i have created a field extraction.

App: Cisco_AMP
Name: User_Extraction
SourceType: Cisco:AMP
Type: Uses transform
Extraction/Transform: "name of the field transform above"

Thank you very much for your help.

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@PanIrosha

Glad to help you.

!!! Happy Splunking !!!

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@PanIrosha
Have you tried with comparing with raw?

Can you please try with this?

**Extraction and Transform:**  event.computer.user=(?<user>[^@]+)

Note: Here I have assumed that _raw is like below.

event.computer.user=abc@xyz.com
0 Karma

PanIrosha
Path Finder

hi @kamlesh_vaghela

Thank you for the quick response.

in the raw log has following

"user": "firstName.LastName@DomainName.com"
0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

Is this a JSON event??

Can you please share sample events?? Replace the sensitive value with dummy one.

0 Karma

PanIrosha
Path Finder

@kamlesh_vaghela

below is the sample raw event

{"event": {"event_type": "Threat Detected", "timestamp_nanoseconds": 543000000, "date": "2018-10-29T12:20:53+00:00", "file": {"disposition": "Malicious", "identity": {"md5": "44d88612fea8a8f36de82e1278abb02f", "sha1": "3395856ce81f2b7382dee72602f798b642f14140", "sha256": "275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f"}, "file_name": "f9ab116c-40f5-40db-a566-4d3d948587c3.tmp", "file_path": "\\?\C:\Users\User.Name\Downloads\f9ab116c-40f5-40db-a566-4d3d948587c3.tmp", "parent": {"disposition": "Clean", "identity": {"md5": "f8ba54ad76c8f8ec9f3d639871b30f27", "sha1": "d42ea42b362442299195a82cfb998f10b11af868", "sha256": "c0edc58682b6fa296a439da2320c8bf74d7bf5f8e83446441048687beb60a472"}, "file_name": "chrome.exe", "process_id": 13132}}, "computer": {"links": {"trajectory": "https://api.eu.amp.cisco.com", "computer": "https://api.eu.amp.cisco.com", "group": "https://api.eu.amp.cisco.com"}, "connector_guid": "ec10a6ba-1bf2-42d8-8254-77fbcea54c6a", "active": true, "hostname": "Demo-PC-001", "user": "firstName.LastName@Domain.com", "external_ip": "xxx.xxx.xxx.xxx", "network_addresses": [{"ip": "xxx.xxx.xxx.xxx", "mac": "xx:xx:xx:xx:xx:xx"}, {"ip": "xxx.xxx.xxx.xxx", "mac": "xx:xx:xx:xx:xx:xx"}, {"ip": "xxx.xxx.xxx.xxx", "mac": "xx:xx:xx:xx:xx:xx"}, {"ip": "xxx.xxx.xxx.xxx", "mac": "xx:xx:xx:xx:xx:xx"}]}, "id": 6617752838799884295, "timestamp": 1540815653, "connector_guid": "asas-weuwuey-kjhdfkjaf", "event_type_id": 1090519054, "detection": "Win.Trojan.EICAR-Test-File", "detection_id": "6617752838799884292", "group_guids": ["272362aashasah13276237623jsdhjsdjsh"]}}

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...