Solved: Re: Help with Field Extraction

secphilomath1 · ‎01-26-2024

Here is my sample data;

start=Dec 30 2023 06:07:47 duser=NT AUTHORITY\SYSTEM dvc=10.163.142.37

I need to extract the full duser information. Splunk only grabs NT and not the remaining of the string

I have the following Regex via regex101 that works....I am grabbing whatever is between 'duser=' and ' dvc'

(?<=duser=)(.*?)(?= dvc)

I just don't quite understand how the field extraction part is supposed to work...

I have tried...

| rex field=_raw "'(?<User>(?<=duser=)(.*?)(?= dvc))'"

and

| rex field=_raw "duser=\s+(?<User>[^\\]*)"

No errors, just not getting any data in a User field.

Thanks in advance.

ITWhisperer · ‎01-29-2024

| rex "duser=(?<duser>.*?) dvc=(?<dvc>\S+).*dhost=(?<dhost>\S+)"

View solution in original post

secphilomath1 · ‎01-26-2024

When I put in my search like this

| rex field=_raw "duser=(?<User>.*?) dvc"

I get a new field called UserNameLabel with the value of User

ITWhisperer · ‎01-26-2024

Set your anchors either side of the field extraction

| rex "duser=(?<User>.*?) dvc"

secphilomath1 · ‎01-26-2024

When I put in my search like this

| rex field=_raw "duser=(?<User>.*?) dvc"

I get a new field called UserNameLabel with the value of 'User' not the user field data

ITWhisperer · ‎01-27-2024

Please share some anonymised sample data. the search you are using, your current results and your expected results

secphilomath1 · ‎01-29-2024

duser=NT AUTHORITY\SYSTEM dvc=10.10.10.10 rt=Jan 29 2024 04:41:24 dhost=abcd.efgh.com SHA-1=Not available MD5=Not available Size=Not available content=0x00000001 (1) contentLabel=Current Version Content timezone=Pacific Standard Time

I want to be able to pull out the duser, dvc, dhost etc. Focusing on the duser ATM because it is giving me the most grief because of the space in the value. If I can get one to work, I can get the rest working.

The search so far is simple;

index="abc"

| rex field=_raw "duser=(?P<User>.*?) dvc"

| table User

ITWhisperer · ‎01-29-2024

| rex "duser=(?<duser>.*?) dvc=(?<dvc>\S+).*dhost=(?<dhost>\S+)"

secphilomath1 · ‎01-29-2024

Oh wait these have to be in order, what if I wanted to grab a field that is 10 fields before this.

Expanded Sample Data;

dvchost=asdf.ghi.com NodeType=Windows Server NodeTypeLabel=Node Type Rule=Critical System Settings RuleLabel=Rule RuleType=Windows Registry Rule RuleTypeLabel=Rule Type fname=HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer|NoWebServices ChangeType=Added ChangeTypeLabel=Change Type SeverityName=High SeverityNameLabel=Tripwire Severity Name VersionOID=-1y2p0ij32e8cf:-1y2p0iizs0ilf VersionOIDLabel=Version OID SeverityNumber=10000 SeverityNumberLabel=Tripwire Severity Number sproc=C:\Windows\System32\svchost.exe licurl=https://abcd.ghi.com/console/lic.search.cmd?lic=true&managerId=nodeManager&pageId=nodeManager.elemen...NoWebServices%22%2C%22selectedSearchType%22%3A%22element%22%2C%22search.element.ruleGroup.selectedObject%22%3A%22-1y2p0ij32e7p1%3A-1y2p0ij32bgh0%22%2C%22criteria.searchExecuted%22%3Atrue%7D start=Jan 07 2024 06:07:45 duser=NT AUTHORITY\SYSTEM dvc=10.10.10.10 rt=Jan 29 2024 04:41:24 dhost=abcd.ghi.com SHA-1=Not available MD5=Not available Size=Not available content=0x00000001 (1) contentLabel=Current Version Content timezone=Pacific Standard Time timezoneLabel=Time Zone elementOID=-1y2p0ij32e8ca:-1y2p0ij02lo5f elementOIDLabel=Element OID blVersion=false blVersionLabel=Is baseline version hardCodedIP=10.10.10.10

Say I wanted the fields NodeType, RuleType, fname, duser, sproc?

Thanks

ITWhisperer · ‎01-29-2024

As I said in my original reply, you just have to set up the anchors correctly. regex101.com is a great site for testing regex.

secphilomath1 · ‎01-29-2024

Wow, thanks so much! That solves all my problems!

Help with Field Extraction

regex

rex

How to Monitor Google Kubernetes Engine (GKE)

Index This | How can you make 45 using only 4?

Splunk Education Goes to Washington | Splunk GovSummit 2024