- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How do I extract these 3 separate fields from Reti...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm trying to extract the below syslog messages from Retina network scanner into 3 separate fields. Each time I start the extraction, I get the below message.
The extraction failed. If you are extracting multiple fields, try removing one or more fields. Start with extractions that are embedded within longer text strings
Here are a few samples.
Feb 1 13:33:23 10.5.3.62 2016- 2- 1 19:33:24 Retina: Retina has found Medium Severity audit SSL/TLS RC4 Cipher Suites Supported on ip 10.5.1.47.
Feb 1 13:31:49 10.5.3.62 2016- 2- 1 19:31:50 Retina: Retina has found Low Severity audit TFTP Server Detected on ip 10.5.3.2.
Feb 1 13:33:21 10.5.3.62 2016- 2- 1 19:33:22 Retina: Retina has found Medium Severity audit SSL Weak Cipher Suite Encryption Algorithm Key Length Supported on ip 10.5.1.47.
Feb 1 13:33:20 10.5.3.62 2016- 2- 1 19:33:21 Retina: Retina has found Medium Severity audit SSL Weak Cipher Suite Supported on ip 10.5.1.47.
Jan 20 04:34:30 10.5.3.62 2016- 1-20 10:34:32 Retina: Retina has found High Severity audit Microsoft Office Remote Code Execution - 3114553 Office 2010 on ip 10.5.3.67.
The 3 fields I want to extract are severity (High, Medium, Low), the vulnerability which is all text between the work 'audit' and the word 'on', the last field is the ip address.
I can get it to extract the severity, but it fails doing the other 2 fields.
Any help would be appreciated.
Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In props.conf
[yoursourcetypehere]
EXTRACT-ef1=has found (?<severity>\w+) Severity audit
EXTRACT-ef2=audit (?<vulnerability>.*)\son\s
EXTRACT-ef3= on ip (?<ip>\S+).$
If you don't have access to props.conf,you can use the regular expressions that follow the =. Using the field extractor, just choose to edit the regular expression - then replace the regular expression with what is given here. You will need to run the field extractor 3 times - once for each field: severity, vulnerability, ip.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This regex string works with your sample data.
"(?<severity>\w+?) Severity audit (?<vuln>.*?) on ip (?<ip>\d+\.\d+\.\d+\.\d+)"
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In props.conf
[yoursourcetypehere]
EXTRACT-ef1=has found (?<severity>\w+) Severity audit
EXTRACT-ef2=audit (?<vulnerability>.*)\son\s
EXTRACT-ef3= on ip (?<ip>\S+).$
If you don't have access to props.conf,you can use the regular expressions that follow the =. Using the field extractor, just choose to edit the regular expression - then replace the regular expression with what is given here. You will need to run the field extractor 3 times - once for each field: severity, vulnerability, ip.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Both ways worked but I like the props.conf method.
Thanks to both of you! Time for me to learn how to do extractions.
Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...
Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...
Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...
