Get conditional value from logs

sgulhane5 · ‎10-20-2020

Hi Team,

I have two conditions as below and I need to find out the operation="OVERRIDE" and other should be block

1> [name="IP BLOCK TYPE",value="Private",operation="OVERRIDE"]

In first case I applied >>> rex field=_raw "operation=\"(?<IP_Block_Type>.\w+)\"" | where isnotnull(IP_Block_Type) and I got operation="OVERRIDE" value only in the IP_Block_Type column.

2>[name="IP BLOCK TYPE",value="Public",descendants_action={option_with_ea:"INHERIT",option_without_ea:"NOT_INHERIT"},operation="OVERRIDE"]

In the second condition, I'm looking for a logic which would not take "descendants_action={option_with_ea:"INHERIT",option_without_ea:"NOT_INHERIT"}" but it should give operation="OVERRIDE" in a result.

@gcusello

@Nisha18789

@ITWhisperer

sgulhane5 · ‎10-21-2020

@ITWhisperer Please find the 3 part code-

sourcetype=ib:audit index=ib_audit OBJECT_TYPE=*Network* OBJECT_TYPE!=*Container* ACTION=Created OBJECT_NAME!=10.* AND OBJECT_NAME!=172.16.* AND OBJECT_NAME!=172.17.* AND OBJECT_NAME!=172.18.* AND OBJECT_NAME!=172.19.* AND OBJECT_NAME!=172.20.* AND OBJECT_NAME!=172.21.* AND OBJECT_NAME!=172.22.* AND OBJECT_NAME!=172.23.* AND OBJECT_NAME!=172.24.* AND OBJECT_NAME!=172.25.* AND OBJECT_NAME!=172.26.* AND OBJECT_NAME!=172.27.* AND OBJECT_NAME!=172.28.* AND OBJECT_NAME!=172.29.* AND OBJECT_NAME!=172.30.* AND OBJECT_NAME!=172.31.* AND OBJECT_NAME!=192.168.* (earliest=-1year) | sort -_time | eval MESSAGE=replace(MESSAGE, "\\\\040", " ") | eval MESSAGE=replace(MESSAGE, "\\\\042", "\"") | eval MESSAGE=replace(MESSAGE, "\\\\054", ",") | eval MESSAGE=replace(MESSAGE, "\\\\072", ":") | eval MESSAGE=replace(MESSAGE, "\\\\075", "=") | eval MESSAGE=replace(MESSAGE, "\\\\076", "&gt;") | eval MESSAGE=replace(MESSAGE, "\\\\133", "\[") | eval MESSAGE=replace(MESSAGE, "\\\\134", "\\") | eval MESSAGE=replace(MESSAGE, "\\\\135", "\]") | eval OBJECT_NAME=replace(OBJECT_NAME, "\\\\040", " ") | eval OBJECT_NAME=replace(OBJECT_NAME, "\\\\042", "\"") | eval OBJECT_NAME=replace(OBJECT_NAME, "\\\\054", ",") | eval OBJECT_NAME=replace(OBJECT_NAME, "\\\\072", ":") | eval OBJECT_NAME=replace(OBJECT_NAME, "\\\\075", "=") | eval OBJECT_NAME=replace(OBJECT_NAME, "\\\\076", "&gt;") | eval OBJECT_NAME=replace(OBJECT_NAME, "\\\\133", "\[") | eval OBJECT_NAME=replace(OBJECT_NAME, "\\\\134", "\\") | eval OBJECT_NAME=replace(OBJECT_NAME, "\\\\135", "\]") |rex max_match=0 field=_raw "CITY\",value=\"(?<City>.*?)\s*(\w*+)\]"| eval City = substr(City, 1, len(City)-1) | rex max_match=0 field=_raw "REGION\",value=\"(?<Region>.*?)\s*(\w*+)\]"| eval Region = substr(Region, 1, len(Region)-1)| rex max_match=0 field=_raw "FLOOR\",value=\"(?<Floor>.*?)\s*(\w*+)\]"| eval Floor= substr(Floor, 1, len(Floor)-1)|rex max_match=0 field=_raw "COUNTRY\",value=\"(?<Country>.*?)\s*(\w*+)\]"| eval Country= substr(Country, 1, len(Country)-1)|rex max_match=0 field=_raw "CKT ID\",value=\"(?<CKT_ID>.*?)\s*(\w*+)\]"| eval CKT_ID= substr(CKT_ID, 1, len(CKT_ID)-1)| rex max_match=0 field=_raw "Assignor ID\",value=\"(?<Assignor_ID>.*?)\s*(\w*+)\]"| eval Assignor_ID= substr(Assignor_ID, 1, len(Assignor_ID)-1) |rex max_match=0 field=_raw "IP BLOCK TERMINATION DEVICE\",value=\"(?<IP_Block_Termination_Device>.*?)\s*(\w*+)\]"| eval IP_Block_Termination_Device= substr(IP_Block_Termination_Device, 1, len(IP_Block_Termination_Device)-1)| rex max_match=0 field=_raw "CR NUMBER\",value=\"(?<CR_Number>.*?)\s*(\w*+)\]"| eval CR_Number= substr(CR_Number, 1, len(CR_Number)-1) |rex max_match=0 field=_raw "DEPLOYMENT STATUS\",value=\[\"(?<Deployment_Status>[^\"]*)\"\]"| eval Deployment_Status= substr(Deployment_Status, 1, len(Deployment_Status)-0)| rex max_match=0 field=_raw "Network Location\",value=\"(?<Network_Location>.*?)\s*(\w*+)\]"| eval Network_Location= substr(Network_Location, 1, len(Network_Location)-1) |rex max_match=0 field=_raw "PROJECT NAME\",value=\"(?<Project_Name>.*?)\s*(\w*+)\]"| eval Project_Name= substr(Project_Name, 1, len(Project_Name)-1) |rex max_match=0 field=_raw "FIREWALL HOSTNAME\",value=\"(?<Firewall_Hostname>.*?)\s*(\w*+)\]"| eval Firewall_Hostname= substr(Firewall_Hostname, 1, len(Firewall_Hostname)-1) |rex max_match=0 field=_raw "PROJECT OWNER /SM MAIL ID\",value=\"(?<Project_Owner_SM_Mail_Id>.*?)\s*(\w*+)\]"| eval Project_Owner_SM_Mail_Id= substr(Project_Owner_SM_Mail_Id, 1, len(Project_Owner_SM_Mail_Id)-1)|rex max_match=0 field=_raw "PROJECT/OWNER NAME\",value=\"(?<Project_Owner_Name>.*?)\s*(\w*+)\]"| eval Project_Owner_Name= substr(Project_Owner_Name, 1, len(Project_Owner_Name)-1) |rex max_match=0 field=_raw "REGISTERED UNDER\",value=\"(?<Registered_Under>.*?)\s*(\w*+)\]"| eval Registered_Under= substr(Registered_Under, 1, len(Registered_Under)-1)|rex max_match=0 field=_raw "SR NUMBER\",value=\"(?<SR_Number>.*?)\s*(\w*+)\]"| eval SR_Number= substr(SR_Number, 1, len(SR_Number)-1)|rex max_match=0 field=_raw "SUB CATEGRORY : HOST IP Entity\",value=\"(?<Sub_Categrory_Host_IP_Entity>.*?)\s*(\w*+)\]"| eval Sub_Categrory_Host_IP_Entity= substr(Sub_Categrory_Host_IP_Entity, 1, len(Sub_Categrory_Host_IP_Entity)-1)
|rex max_match=0 field=_raw "BUILDING\",value=\[\"(?<Building>[^\"]*)\"\]"| eval Building= substr(Building, 1, len(Building)+1)| rex max_match=0 field=_raw "FIREWALL MANAGEMENT IP\",value=\"(?<Firewall_Management_IP>.*?)\s*(\w*+)\]"| eval Firewall_Management_IP= substr(Firewall_Management_IP, 1, len(Firewall_Management_IP)-1)|rex max_match=0 field=_raw "VLAN-ID\",value=\"(?<Vlan_ID>.*?)\s*(\w*+)\]"| eval Vlan_ID= substr(Vlan_ID, 1, len(Vlan_ID)-1) |rex max_match=0 field=_raw "VLAN-Name\",value=\"(?<Vlan_Name>.*?)\s*(\w*+)\]"| eval Vlan_Name= substr(Vlan_Name, 1, len(Vlan_Name)-1) |rex max_match=0 field=_raw "TERMINATION TECHNICAL CONTACT\",value=\"(?<Termination_Technical_Contact>.*?)\s*(\w*+)\]"| eval Termination_Technical_Contact= substr(Termination_Technical_Contact, 1, len(Termination_Technical_Contact)-1) |rex max_match=0 field=_raw "SUBNET TYPE\",value=\"(?<Subnet_Type>.*?)\s*(\w*+)\]"| eval Subnet_Type= substr(Subnet_Type, 1, len(Subnet_Type)-1) |rex max_match=0 field=_raw "OWNER OF SUBNET\",value=\"(?<Owner_Of_Subnet>.*?)\s*(\w*+)\]"| eval Owner_Of_Subnet= substr(Owner_Of_Subnet, 1, len(Owner_Of_Subnet)-1) |rex max_match=0 field=_raw "Network Comment\",value=\"(?<Network_Comment>.*?)\s*(\w*+)\]"| eval Network_Comment= substr(Network_Comment, 1, len(Network_Comment)-1) |rex max_match=0 field=_raw "GATEWAY 2 MANAGEMENT IP\",value=\"(?<Gateway_2_Management_IP>.*?)\s*(\w*+)\]"| eval Gateway_2_Management_IP= substr(Gateway_2_Management_IP, 1, len(Gateway_2_Management_IP)-1) |rex max_match=0 field=_raw "GATEWAY MANAGED BY\",value=\"(?<Gateway_Managed_By>.*?)\s*(\w*+)\]"| eval Gateway_Managed_By= substr(Gateway_Managed_By, 1, len(Gateway_Managed_By)-1)|rex max_match=0 field=_raw "GATEWAY TECHNICAL CONTACT\",value=\"(?<Gateway_Technical_Contact>.*?)\s*(\w*+)\]"| eval Gateway_Technical_Contact= substr(Gateway_Technical_Contact, 1, len(Gateway_Technical_Contact)-1)|rex max_match=0 field=_raw "GATEWAY1 MANAGEMENT IP\",value=\"(?<Gateway1_Management_IP>.*?)\s*(\w*+)\]"| eval Gateway1_Management_IP= substr(Gateway1_Management_IP, 1, len(Gateway1_Management_IP)-1) |rex max_match=0 field=_raw "HOST NAME GATEWAY1\",value=\"(?<Host_Name_Gateway1>.*?)\s*(\w*+)\]"| eval Host_Name_Gateway1= substr(Host_Name_Gateway1, 1, len(Host_Name_Gateway1)-1) |rex max_match=0 field=_raw "HOST NAME GATEWAY2\",value=\"(?<Host_Name_Gateway2>.*?)\s*(\w*+)\]"| eval Host_Name_Gateway2= substr(Host_Name_Gateway2, 1, len(Host_Name_Gateway2)-1) |rex max_match=0 field=_raw "HOST TYPE\",value=\"(?<Host_Type>.*?)\s*(\w*+)\]"| eval Host_Type= substr(Host_Type, 1, len(Host_Type)-1) |rex max_match=0 field=_raw "IP BLOCK TYPE\",value=\"(?<IP_Block_Type>.*?)\s*(\w*+)\]"| eval IP_Block_Type= substr(IP_Block_Type, 1, len(IP_Block_Type)-1) |rex max_match=0 field=_raw "ODC\",value=\"(?<ODC>.*?)\s*(\w*+)\]"| eval ODC= substr(ODC, 1, len(ODC)-1)|rename TIMESTAMP as "Timestamp", ADMIN as "Admin", ACTION as "Action", OBJECT_TYPE as "Network Type", OBJECT_NAME as "Network", EXEC_STATUS as "Execution Status", MESSAGE as "Message", host as "Member" | table "Timestamp" "Admin" "Network Type" "Network" "City" "IP_Block_Type" "Region" "Country" "Network_Location" "Building" "ODC" "Floor" "Project_Name" "CKT_ID" "Assignor_ID" "IP_Block_Termination_Device" "CR_Number" "Deployment_Status" "Firewall_Hostname" "Project_Owner_SM_Mail_Id" "Project_Owner_Name" "Registered_Under" "SR_Number" "Firewall_Management_IP" "Vlan_ID" "Vlan_Name" "Termination_Technical_Contact" "Subnet_Type" "Owner_Of_Subnet" "Network_Comment" "Gateway_2_Management_IP" "Gateway_Managed_By" "Gateway_Technical_Contact" "Gateway1_Management_IP" "Host_Name_Gateway1" "Host_Name_Gateway2" "Host_Type" "Sub_Categrory_Host_IP_Entity"

ITWhisperer · ‎10-21-2020

Try simplifying the rex and evals (I wasn't sure what was going on with Building and the length + 1)

|rex max_match=0 field=_raw "CITY\",value=\"(?<City>[^\"]+)"
| rex max_match=0 field=_raw "REGION\",value=\"(?<Region>[^\"]+)"
| rex max_match=0 field=_raw "FLOOR\",value=\"(?<Floor>[^\"]+)"
|rex max_match=0 field=_raw "COUNTRY\",value=\"(?<Country>[^\"]+)"
|rex max_match=0 field=_raw "CKT ID\",value=\"(?<CKT_ID>[^\"]+)"
| rex max_match=0 field=_raw "Assignor ID\",value=\"(?<Assignor_ID>[^\"]+)"
|rex max_match=0 field=_raw "IP BLOCK TERMINATION DEVICE\",value=\"(?<IP_Block_Termination_Device>[^\"]+)"
| rex max_match=0 field=_raw "CR NUMBER\",value=\"(?<CR_Number>[^\"]+)"
|rex max_match=0 field=_raw "DEPLOYMENT STATUS\",value=\[\"(?<Deployment_Status>[^\"]*)\"\]"
| rex max_match=0 field=_raw "Network Location\",value=\"(?<Network_Location>[^\"]+)" 
|rex max_match=0 field=_raw "PROJECT NAME\",value=\"(?<Project_Name>[^\"]+)"
|rex max_match=0 field=_raw "FIREWALL HOSTNAME\",value=\"(?<Firewall_Hostname>[^\"]+)"
|rex max_match=0 field=_raw "PROJECT OWNER /SM MAIL ID\",value=\"(?<Project_Owner_SM_Mail_Id>[^\"]+)"
|rex max_match=0 field=_raw "PROJECT/OWNER NAME\",value=\"(?<Project_Owner_Name>[^\"]+)"
|rex max_match=0 field=_raw "REGISTERED UNDER\",value=\"(?<Registered_Under>[^\"]+)"
|rex max_match=0 field=_raw "SR NUMBER\",value=\"(?<SR_Number>[^\"]+)"
|rex max_match=0 field=_raw "SUB CATEGRORY : HOST IP Entity\",value=\"(?<Sub_Categrory_Host_IP_Entity>[^\"]+)"
|rex max_match=0 field=_raw "BUILDING\",value=\[\"(?<Building>[^\"]*)\"\]"
| eval Building= substr(Building, 1, len(Building)+1)
| rex max_match=0 field=_raw "FIREWALL MANAGEMENT IP\",value=\"(?<Firewall_Management_IP>[^\"]+)"
|rex max_match=0 field=_raw "VLAN-ID\",value=\"(?<Vlan_ID>[^\"]+)"
|rex max_match=0 field=_raw "VLAN-Name\",value=\"(?<Vlan_Name>[^\"]+)"
|rex max_match=0 field=_raw "TERMINATION TECHNICAL CONTACT\",value=\"(?<Termination_Technical_Contact>[^\"]+)"
|rex max_match=0 field=_raw "SUBNET TYPE\",value=\"(?<Subnet_Type>[^\"]+)"
|rex max_match=0 field=_raw "OWNER OF SUBNET\",value=\"(?<Owner_Of_Subnet>[^\"]+)"
|rex max_match=0 field=_raw "Network Comment\",value=\"(?<Network_Comment>[^\"]+)"
|rex max_match=0 field=_raw "GATEWAY 2 MANAGEMENT IP\",value=\"(?<Gateway_2_Management_IP>[^\"]+)"
|rex max_match=0 field=_raw "GATEWAY MANAGED BY\",value=\"(?<Gateway_Managed_By>[^\"]+)"
|rex max_match=0 field=_raw "GATEWAY TECHNICAL CONTACT\",value=\"(?<Gateway_Technical_Contact>[^\"]+)"
|rex max_match=0 field=_raw "GATEWAY1 MANAGEMENT IP\",value=\"(?<Gateway1_Management_IP>[^\"]+)"
|rex max_match=0 field=_raw "HOST NAME GATEWAY1\",value=\"(?<Host_Name_Gateway1>[^\"]+)"
|rex max_match=0 field=_raw "HOST NAME GATEWAY2\",value=\"(?<Host_Name_Gateway2>[^\"]+)"
|rex max_match=0 field=_raw "HOST TYPE\",value=\"(?<Host_Type>[^\"]+)"
|rex max_match=0 field=_raw "IP BLOCK TYPE\",value=\"(?<IP_Block_Type>[^\"]+)"
|rex max_match=0 field=_raw "ODC\",value=\"(?<ODC>[^\"]+)"

Where in the search were you putting the suggested eval for block?

sgulhane5 · ‎10-21-2020

Hi @ITWhisperer, the First snip shows the audit logs and I've highlighted the IP Block Type details in the Snip.

Audit logs

The second snip showing an output printed for IP_Block_Type but it containing all the details descendant action etc that I don't want to print any value for that entries. That should be omitted.

Snip2

The third Snip is showing the logic that I have used to get the details from the audit logs of IPAM.

Logic to fetch the data

ITWhisperer · ‎10-21-2020

Hi @sgulhane5

Thanks but the images are almost impossible to use. Can you copy and paste the third part into a code block?

I can see that there is something wrong with your IP_Block_Type extraction. Is that part of your logic, or has this field been extracted on indexing?

sgulhane5 · ‎10-21-2020

In a result, it is showing an "OVERRIDE" but it is taking operation="OVERRIDE" from 2nd condition also and I don't want that. I just want to print 1 condition with operation="OVERRIDE"

ITWhisperer · ‎10-21-2020

I don't understand - what is your full query? Also, can you provide a sample event which is coming through that you would like to be omitted?

sgulhane5 · ‎10-21-2020

@ITWhisperer It is not working. I dont want [name="IP BLOCK TYPE",value="Public",descendants_action={option_with_ea:"INHERIT",option_without_ea:"NOT_INHERIT"},operation="OVERRIDE"] to be printed as this has operation="OVERRIDE". so help me to discard this case while checking 1 and 2. 1st should print not second one.

ITWhisperer · ‎10-21-2020

Does the block field appear in the results? What values appear for it? Block should be 1 if the string appears in the _raw event and therefore excluded by the where clause.

ITWhisperer · ‎10-21-2020

| rex field=_raw "operation=\"(?<IP_Block_Type>.\w+)\"" 
| where isnotnull(IP_Block_Type)
| eval block=if(match(_raw,"descendants_action=\{option_with_ea:\"INHERIT\",option_without_ea:\"NOT_INHERIT\"\}"),1,0)
| where block=0

Get conditional value from logs

regex

Don't wait! Accept the Mission Possible: Splunk Adoption Challenge Now and Win ...

Unify Your SecOps with Splunk Mission Control

Data Preparation Made Easy: SPL2 for Edge Processor