Field transformation does not work but rex does wi...

av · ‎08-28-2020

I am trying to extract a field using field transformation. My event contains a XML. Partial snippet given below -

                    <Name>/xx</Name>
                    <Id>HASPR00100</Id>
                    <Class>B</Class>
                    <Confidence>0.8957</Confidence>
                    <Notes>
                        <Note>
                            <Key name="note">[CDATA[{"target": "corp", "precision": 0.365, "recall": 0.553, "fnr": 0.447, "fpr": 0.0273, "confidence": {"A": 0.0, "B": 0.8957}}]]</Key>
                            <Key name="score">0.0271</Key>

I am trying to capture the "score" value 0.0271 in a field.

I tried to create a field transformation using regex below -

\<Name\>\/xx\<\/Name\>\n.+\n.+\n.+\n.+\n.+\n.+\n.+\<Key name\=\"score\"\>(\S+)\<\/Key\>

But that does not work. If I use the same expression in rex I am able to extract the field.

index=a ... | rex "\<Name\>\/xx\<\/Name\>\n.+\n.+\n.+\n.+\n.+\n.+\n.+\<Key name\=\"score\"\>(?<sc>.*)\<\/Key\>"

Am i missing something? Or is there any better way to do this?

Thanks.

harsmarvania57 · ‎08-28-2020

Any specific reason to use field transformation ? You can use field extraction to achieve the same (Define regex in field extraction directly).

av · ‎08-31-2020

@harsmarvania57 Tried your suggestion, but same result using direct regex in field extraction. Not sure what am I missing.

harsmarvania57 · ‎09-01-2020

Can you please let us know regex which you have configured in field extraction and one simple raw event (Not partial event) ?

av · ‎09-02-2020

I was able to make it work with following regex

xx[^\$]+?score\"\>(\S+)\<

Field transformation does not work but rex does with the same regex expression

field extraction

regex

rex

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?