Splunk Search

Cisco eStreamer eNcore Add-on for Splunk v3.6.8 - Error in two EXTRACTs

Path Finder

Cisco eStreamer eNcore Add-on for Splunk v3.6.8 has two EXTRACTs with errors in them.

EXTRACT-extract_src and EXTRACT-extract_dest both have an extraneous equal sign (=) before the start of the regex which means that src_ip and dest_ip don't get extracted. Both are under the [cisco:firepower:syslog] stanza.

Engager

I stumbled across the same thing today. Additionally i was wondering, if the regex itself has a mistake aswell. Our Firepower generates logs with the fields SrcIP and DestIP. However, the regexes only match a lowercase "p" at the end.

Original Regex:

 

EXTRACT-extract_src==^.+SrcIp\:\ (?P<src_ip>[^,;]+)
EXTRACT-extract_dest = =^.+DestIp\:\ (?P<dest_ip>[^,]+)

 

Fixed Regex (not tested):

 

EXTRACT-extract_src=^.+SrcIP\:\ (?P<src_ip>[^,;]+)
EXTRACT-extract_dest = ^.+DestIP\:\ (?P<dest_ip>[^,]+)

 

0 Karma