Splunk Search

File Extraction with empty field on Space delimited events

rangarbus
Explorer

My events are as below: 

Mon Nov 23 09:21:57 2020 6 10.0.0.3 3783 /root/A/P2/source1/POL.IDM b s i r kumar ssh 0 *

Mon Nov 23 09:21:58 2020 5 10.0.0.4 3783 /root/A/P2/.stfs/objects/8a/32bcb75c884c00175c989636000ba/b14fbda4-6857-4910-9a74-9789b6165b7f/52925c56-3ae2-4f75-bb3a-97622e9223b0/8a332bcb75c884c00175c989751500c3/POL.IDM b n o r kumar ssh 0 *

Mon Nov 23 09:15:25 2020 7 10.0.0.2 68 /root/A/P1/.stfs/objects/8a/325cc74705abd017472f907ce0155/12763075-66b1-4a1b-b080-0c5d0a5a0c11/d8c5486a-57ab-4798-a8cc-2bf45f3b975b/8a3325cc74705abd017472f9bbc701c7/WEB.dat a s o p ftp 0 *


If i extract the fields i need the below.:

event1 field values in RED, event 2 field values in PINK, event 3 field values in BLUE

current_time=Mon Nov 23 09:21:57 2020, Mon Nov 23 09:21:58 2020, Mon Nov 23 09:15:25 2020
transfer_time=6, 5, 7
remote_host=10.0.0.3, 10.0.0.4, 10.0.0.2
file_size=3783, 3783, 68
file_path=
/root/A/P2/source1/POL.IDM,
/root/A/P2/.stfs/objects/8a/32bcb75c884c00175c989636000ba/b14fbda4-6857-4910-9a74-9789b6165b7f/52925c56-3ae2-4f75-bb3a-97622e9223b0/8a332bcb75c884c00175c989751500c3/POL.IDM,
/root/A/P1/.stfs/objects/8a/325cc74705abd017472f907ce0155/12763075-66b1-4a1b-b080-0c5d0a5a0c11/d8c5486a-57ab-4798-a8cc-2bf45f3b975b/8a3325cc74705abd017472f9bbc701c7/WEB.dat
->
       Few extracts on this field file_path with / as delimiter: --> This i don't know how to handle
                3rd index extracted as account=P2, P2, P3
                 last index extracted as file_name= POL.IDM, POL.IDM, WEB.dat
                 last but one index (if start with starts with 8a) extracted as route_id = <null, empty>, <null, empty>, 8a3325cc74705abd017472f9bbc701c7
transfer_mode=b, b, a
transfer_security=s, n, s
transfer_status=i, o, o
access_mode=r, r, p
user_name=kumarkumar, <null,empty> --> This i don't know how to handle
protocol=ssh, ssh, ftp

Can you please help on Field extractions /Search query for this?

Thank you

Labels (1)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @rangarbus,

you should try using three different regexes:

One for the fields until user_name:

| rex "^(?<current_time>\w+\s+\w+\s+\d+\s+\d+:\d+:\d+\s+\d+)\s+(?<transfer_time>\d+)\s+(?<remote_host>\d+\.\d+\.\d+\.\d+)\s+(?<file_size>\d+)\s+(?<file_path>[^ ]+)\s+(?<transfer_mode>\w+)\s+(?<transfer_security>\w+)\s+(?<transfer_status>\w+)\s+(?<access_mode>\w+)\s+
"

that you can test at https://regex101.com/r/7vtkzS/1 

one for the user_name:

| rex "(?<user_name>\w+)\s+ssh|ftp"

that you can test at https://regex101.com/r/7vtkzS/3 

and one for protocol:

| rex "(?<protocol>ssh|ftp)"

That you can test at https://regex101.com/r/7vtkzS/4 

Ciao.

Giuseppe

View solution in original post

gcusello
SplunkTrust
SplunkTrust

Hi @rangarbus,

you should try using three different regexes:

One for the fields until user_name:

| rex "^(?<current_time>\w+\s+\w+\s+\d+\s+\d+:\d+:\d+\s+\d+)\s+(?<transfer_time>\d+)\s+(?<remote_host>\d+\.\d+\.\d+\.\d+)\s+(?<file_size>\d+)\s+(?<file_path>[^ ]+)\s+(?<transfer_mode>\w+)\s+(?<transfer_security>\w+)\s+(?<transfer_status>\w+)\s+(?<access_mode>\w+)\s+
"

that you can test at https://regex101.com/r/7vtkzS/1 

one for the user_name:

| rex "(?<user_name>\w+)\s+ssh|ftp"

that you can test at https://regex101.com/r/7vtkzS/3 

and one for protocol:

| rex "(?<protocol>ssh|ftp)"

That you can test at https://regex101.com/r/7vtkzS/4 

Ciao.

Giuseppe

View solution in original post