Solved: How do I find this string?

ajit4242 · ‎03-01-2023

my string is

"abcdxyz|11.2.0000|56|12120|32|1005|15|32|7742|5|54|336|446|203473<"

above string is string in huge log entry , I want to extract above string and then last 4 fields and from above string to map for graph.

I tried using (name="*abcdxyz|11.2.0000|[0-9]|[0-9]|[0-9]|[0-9]|[0-9]|[0-9]|[0-9]|[0-9]|[0-9]|[0-9]|[0-9]|[0-9]<*")

but getting a lot of noise there

ITWhisperer · ‎03-02-2023

Given you earlier attempt, perhaps you could try something like this

| rex "abcdxyz\|11\.2\.0000\|[0-9]+\|[0-9]+\|[0-9]+\|[0-9]+\|[0-9]+\|[0-9]+\|[0-9]+\|[0-9]+\|(?<lastfour>[0-9]+\|[0-9]+\|[0-9]+\|[0-9]+\<)"

View solution in original post

ajit4242 · ‎03-01-2023

thank you for inputs but when trying to apply on whole log its fails

Retrieve |5|act=Retrieve password suser=abcd fname=Root\Operating Systems-admin dvc= shost=1.1.1.1 dhost=asdfek duser=sasassa externalId= app= reason= cs1Label="Affected User Name" cs1= cs2Label="Safe Name" cs2=asasas cs3Label="Device Type" cs3=Operating System cs4Label="Database" cs4= cs5Label="Other info" cs5= cn1Label="Request Id" cn1= cn2Label="Ticket Id" cn2=CPM msg=CPM<5>138:13Z PRO-ASA CEF:0|Cyber-Ark|baba|11.2.0000|22|sas Verify wd|5|act=abs Verify pas suser=SEFPEOJFEFL fname=Root\Operating System-SASASdfdfd= shost=1.1.1.1 dhost= duser=awsas externalId= app= reason= cs1Label="Affected User Name" cs1= cs2Label="Safe Name" cs2=test1 cs3Label="Device Type" cs3=Operating System cs4Label="Database" cs4= cs5Label="Other info" cs5= cn1Label="Request Id" cn1= cn2Label="Ticket Id" cn2=Ver msg=VerificationPeriodCEF:0|Cyber-Ark|abcdxyz|11.2.0000|64|14555|65|4774|13|32|8207|18|58|336|446|210812<5>1 2023-02-28T23:38:15Z PRO-asa CEF:0|Cyber-Ark|Vault|11.2.0000|51|Retrieve File|5|act=Retrieve File suser=abcd fname=Root\Policies\Policy-GenericWebApp.ini dvc= shost=1.1.1.1 dhost= duser= externalId= app= reason= cs1Label="Affected User Name" cs1= cs2Label="Safe Name" cs2=CMDsas cs3Label="Device Type" cs3= cs4Label="sasasas"

PickleRick · ‎03-02-2023

OK. I'm not sure if it's the case of you pasting the log into the webpage or is it the original data but it seems that it's not properly broken into separate events. That's one thing which must be properly done before you can reliably work with those logs.

Secondly, CyberArk produces CEF logs for which there are several Add-Ons (you might want to compile your own from them; I'm not sure if there is an official Splunk-supplied Add-on for CEF).

Thirdly, this CEF seems a bit misformatted.

ITWhisperer · ‎03-01-2023

Has the field (msg?) already been extracted?

ajit4242 · ‎03-02-2023

no, its just the raw log

ITWhisperer · ‎03-02-2023

Given you earlier attempt, perhaps you could try something like this

| rex "abcdxyz\|11\.2\.0000\|[0-9]+\|[0-9]+\|[0-9]+\|[0-9]+\|[0-9]+\|[0-9]+\|[0-9]+\|[0-9]+\|(?<lastfour>[0-9]+\|[0-9]+\|[0-9]+\|[0-9]+\<)"

ajit4242 · ‎03-02-2023

was able to get it working, first I just got it for all values and then filtered it, thank you for your help

VaultMonitor\|[0-9]+\.[0-9]+\.[0-9]+\|[0-9]+\|[0-9]+\|[0-9]+\|[0-9]+\|[0-9]+\|[0-9]+\|[0-9]+\|[0-9]+\|[0-9]+\|[0-9]+\|[0-9]+\|[0-9]+

ITWhisperer · ‎03-01-2023

| eval name=split(name,"|")
| eval lastfour=mvindex(name,-4,-1)

How do I find this string?

regex

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

Join the Conversation