Splunk Search

Help with Field Extraction

secphilomath1
Explorer

Here is my sample data;

 

start=Dec 30 2023 06:07:47 duser=NT AUTHORITY\SYSTEM dvc=10.163.142.37

I need to extract the full duser information.  Splunk only grabs NT and not the remaining of the string

I have the following  Regex via regex101 that works....I am grabbing whatever is between 'duser=' and ' dvc'

(?<=duser=)(.*?)(?= dvc)

I just don't quite understand how the field extraction part is supposed to work... 

I have tried...

| rex field=_raw "'(?<User>(?<=duser=)(.*?)(?= dvc))'" 

and

| rex field=_raw "duser=\s+(?<User>[^\\]*)"

No errors, just not getting any data in a User field.

 

Thanks in advance.

 

 

Labels (2)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust
| rex "duser=(?<duser>.*?) dvc=(?<dvc>\S+).*dhost=(?<dhost>\S+)"

View solution in original post

0 Karma

secphilomath1
Explorer

When I put in my search like this

| rex field=_raw "duser=(?<User>.*?) dvc"

I get a new field called UserNameLabel with the value of User

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Set your anchors either side of the field extraction

| rex "duser=(?<User>.*?) dvc"
0 Karma

secphilomath1
Explorer

When I put in my search like this

| rex field=_raw "duser=(?<User>.*?) dvc"

I get a new field called UserNameLabel with the value of 'User' not the user field data

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Please share some anonymised sample data. the search you are using, your current results and your expected results

0 Karma

secphilomath1
Explorer

duser=NT AUTHORITY\SYSTEM dvc=10.10.10.10 rt=Jan 29 2024 04:41:24 dhost=abcd.efgh.com SHA-1=Not available MD5=Not available Size=Not available content=0x00000001 (1) contentLabel=Current Version Content timezone=Pacific Standard Time

I want to be able to pull out the duser, dvc, dhost etc.  Focusing on the duser ATM because it is giving me the most grief because of the space in the value.  If I can get one to work, I can get the rest working.

 

The search so far is simple;

index="abc" 

| rex field=_raw "duser=(?P<User>.*?) dvc"

| table User

 

 

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
| rex "duser=(?<duser>.*?) dvc=(?<dvc>\S+).*dhost=(?<dhost>\S+)"
0 Karma

secphilomath1
Explorer

Oh wait these have to be in order, what if I wanted to grab a field that is 10 fields before this.  

Expanded Sample Data;

dvchost=asdf.ghi.com NodeType=Windows Server NodeTypeLabel=Node Type Rule=Critical System Settings RuleLabel=Rule RuleType=Windows Registry Rule RuleTypeLabel=Rule Type fname=HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer|NoWebServices ChangeType=Added ChangeTypeLabel=Change Type SeverityName=High SeverityNameLabel=Tripwire Severity Name VersionOID=-1y2p0ij32e8cf:-1y2p0iizs0ilf VersionOIDLabel=Version OID SeverityNumber=10000 SeverityNumberLabel=Tripwire Severity Number sproc=C:\Windows\System32\svchost.exe licurl=https://abcd.ghi.com/console/lic.search.cmd?lic=true&managerId=nodeManager&pageId=nodeManager.elemen...NoWebServices%22%2C%22selectedSearchType%22%3A%22element%22%2C%22search.element.ruleGroup.selectedObject%22%3A%22-1y2p0ij32e7p1%3A-1y2p0ij32bgh0%22%2C%22criteria.searchExecuted%22%3Atrue%7D start=Jan 07 2024 06:07:45 duser=NT AUTHORITY\SYSTEM dvc=10.10.10.10 rt=Jan 29 2024 04:41:24 dhost=abcd.ghi.com SHA-1=Not available MD5=Not available Size=Not available content=0x00000001 (1) contentLabel=Current Version Content timezone=Pacific Standard Time timezoneLabel=Time Zone elementOID=-1y2p0ij32e8ca:-1y2p0ij02lo5f elementOIDLabel=Element OID blVersion=false blVersionLabel=Is baseline version hardCodedIP=10.10.10.10


Say I wanted the fields NodeType, RuleType, fname, duser, sproc?

 

Thanks

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

As I said in my original reply, you just have to set up the anchors correctly. regex101.com is a great site for testing regex.

0 Karma

secphilomath1
Explorer

Wow, thanks so much!  That solves all my problems!

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

Industry Solutions for Supply Chain and OT, Amazon Use Cases, Plus More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...