Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Hello everyone, am trying to extract fields fr...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
<54>Nov 30 15:02:42 SymantecServer SR-SAAP-SEP01: Scan ID: 1448882755,Begin: 2015-11-30 11:47:09,End: 2015-11-30 11:58:44,Completed,Duration (seconds): 695,User1: SYSTEM,User2: SYSTEM,'Scan started on selected drives and folders and all extensions.','Scan Complete: Risks: 0 Scanned: 1472 Files/Folders/Drives Omitted: 0 Trusted Files Skipped: 1465',Command: Not a command scan (),Threats: 0,Infected: 0,Total files: 1472,Omitted: 0,Computer: IBV-HQ-L12,IP Address: 172.18.10.34,Domain: Default,"Group: My Company\Workstations\Information Technology\",Server: SR-SAAP-SEP01
<54>Nov 30 15:00:42 SymantecServer SR-SAAP-SEP01: Scan ID: 1448884513,Begin: 2015-11-30 11:55:45,End: ,Started,Duration (seconds): 0,User1: z.Zomoniem,User2: ,'Scan started on selected drives and folders and all extensions.',,Command: Not a command scan (),Threats: 0,Infected: 0,Total files: 0,Omitted: 0,Computer: MLK-HQ-324,IP Address: 172.18.3.65,Domain: Default,Group: My Company\Workstations,Server: SR-SAAP-SEP01
am trying to create different types of reports that showing the the threat that I may face from viruses and not up to date machines, but the issue is that the event locks mess rather than that am not familiar with rex and regex commands and syntax.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Have you tried adding | extract pairdelim="," kvdelim=":" to your search? You should also consider adding kv rex to your conf fileds
If those two are not an option and you must use rex, this should work
.*SymantecServer\s(?<server_name>[^:]+):[^:]+:\s(?<scan_id>\d+),[^\d]+(?<begin>[^,]+),[^\s]+\s(?<end>[^,]+)?,(?<status>\w+),[^:]+:\s(?<duration>\d+),[^\s]+\s(?<user1>[^,]+),[^:]+:\s(?<user2>[^,]+)?(.*)Command:\s(?<command>[^,]+).*Total files:\s(?<total_files>\d+),[^:]+:\s(?<omitted>\d+),[^:]+:\s(?<computer>[^,]+),[^:]+:\s(?<ip>[^,]+).*Server:\s(?<server>.*)
This will extract the fields that are in bold in your question
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Have you tried adding | extract pairdelim="," kvdelim=":" to your search? You should also consider adding kv rex to your conf fileds
If those two are not an option and you must use rex, this should work
.*SymantecServer\s(?<server_name>[^:]+):[^:]+:\s(?<scan_id>\d+),[^\d]+(?<begin>[^,]+),[^\s]+\s(?<end>[^,]+)?,(?<status>\w+),[^:]+:\s(?<duration>\d+),[^\s]+\s(?<user1>[^,]+),[^:]+:\s(?<user2>[^,]+)?(.*)Command:\s(?<command>[^,]+).*Total files:\s(?<total_files>\d+),[^:]+:\s(?<omitted>\d+),[^:]+:\s(?<computer>[^,]+),[^:]+:\s(?<ip>[^,]+).*Server:\s(?<server>.*)
This will extract the fields that are in bold in your question
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks @sundareshr, its working now as per your recommended solution,
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
where are you facing issues when doing the extractions?? are you using the field extractor or building the extractions yourself?
Observability Unlocked: Kubernetes Monitoring with Splunk Observability Cloud
Wrapping Up Cybersecurity Awareness Month
🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2
