Solved: Help with field extraction

mcollins42 · ‎01-30-2018

I'm failing miserably at this. I'm hoping someone can help me out so I can build my knowledge for future extractions

I'm getting the following record from an application, via syslog and need to perform field extractions:

Jan 30 08:50:14 8.8.8.8 Smith, Jim (Jim.Smith@Domain.com)|Run PowerShell script 'Add Record to DB' for 'Smith, Jim (Domain.local\Users )'|Success

Where:

Jan 30 08:50:14 (DateTime)
8.8.8.8 (src_ip)
Smith, Jim (src_user)
Jim.Smith@Domain.com (src_userupn)
Run PowerShell script 'Add Record to DB' for 'Smith, Jim (Canada.CompassGroup.Corp\Users - Compass)' (message)
Success (Result)

Result is optional and may not be in each record, depending on what the message is.

Any regex gurus out there that can help me out?

mayurr98 · ‎01-30-2018

Hey @mcollins42

Try this run anywhere search

| makeresults | eval _raw="Jan 30 08:50:14 8.8.8.8 Smith, Jim (Jim.Smith@Domain.com)|Run PowerShell script 'Add Record to DB' for 'Smith, Jim (Domain.local\Users )'|Success" | rex field=_raw "(?<DateTime>\w{3}\s\d{2}\s\d{2}:\d{2}:\d{2})\s(?<src_ip>\d+\.\d+\.\d+\.\d+)\s(?<src_user>[^\(]+)\s\((?<src_userupn>[^\)]+)\)\|(?<message>[^\)]*\)')\|(?<Result>.*)"

let me know if this helps!

View solution in original post

mayurr98 · ‎01-30-2018

Hey @mcollins42

Try this run anywhere search

| makeresults | eval _raw="Jan 30 08:50:14 8.8.8.8 Smith, Jim (Jim.Smith@Domain.com)|Run PowerShell script 'Add Record to DB' for 'Smith, Jim (Domain.local\Users )'|Success" | rex field=_raw "(?<DateTime>\w{3}\s\d{2}\s\d{2}:\d{2}:\d{2})\s(?<src_ip>\d+\.\d+\.\d+\.\d+)\s(?<src_user>[^\(]+)\s\((?<src_userupn>[^\)]+)\)\|(?<message>[^\)]*\)')\|(?<Result>.*)"

let me know if this helps!

mayurr98 · ‎01-30-2018

As you said result is optional, so your some events are ending with pipe? If yes then above and @harsmarvania57 will work for both kind of events. But if it is not ending with pipe then I suggest you to extract result seperately.

you can try

| rex field=_raw  "(?<DateTime>\w{3}\s\d{2}\s\d{2}:\d{2}:\d{2})\s(?<src_ip>\d+\.\d+\.\d+\.\d+)\s(?<src_user>[^\(]+)\s\((?<src_userupn>[^\)]+)\)\|(?<message>[^\)]*\)')"

And for result

| rex field=_raw ".*\|(?<Result>.*)"

let me know if this helps!

mcollins42 · ‎01-31-2018

Great example! Separating "Result" into another extraction was a great idea.

harsmarvania57 · ‎01-31-2018

No need to write 2 rex you can achieve same in single rex only, you will not get any output in Result field but field will be created with no data.

<yourBasesearch> 
| rex "(?<DateTime>.*)\s(?<src_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\s(?<src_user>[^\(]*)\s\((?<userupn>[^\)]*)\)\|(?<message>[^\|]*)\|?(?<Result>.*)?"

harsmarvania57 · ‎01-30-2018

Hi @mcollins42,

Can you please try this ?

<yourBasesearch> | rex "(?<DateTime>.*)\s(?<src_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\s(?<src_user>[^\(]*)\s\((?<userupn>[^\)]*)\)\|(?<message>[^\|]*)\|(?<Result>.*)"

sbbadri · ‎01-30-2018

@mcollins42

please try below

Help with field extraction

Demo Day: Strengthen Your SOC with Splunk Enterprise Security 8.1

Dashboards: Hiding charts while search is being executed and other uses for tokens

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

Are you a member of the Splunk Community?

Help with field extraction

Demo Day: Strengthen Your SOC with Splunk Enterprise Security 8.1

Dashboards: Hiding charts while search is being executed and other uses for tokens

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...