Splunk Search

How to configure proper line-breaking for logs from McAFee Database Monitoring?

muralianup
Communicator

Have this problem with linebreaks in the logs from McAFee database mon tool. Tried a couple of configs on props.conf, but didn't help. Basically trying on a test machine and no new logs are coming in, so I am looking for a regex/sed for this, something like ignore every occurrence of \r\n pattern.
For example this is one the events:

\r\n\r\nDatabase is probably vulnerable to a GDI+ EMF Integer Overflow (CVE-blah ). Please check if Microsoft patch MS08-052 was applied properly. \r\nCVE: CVE-2008-3012

Any suggestions ?

0 Karma
1 Solution

Richfez
SplunkTrust
SplunkTrust

To match \r or \n you need to escape the backslash. So, something like

SEDCMD-rem-backslashrn = s/\\r\\n//g

Should substitute nothing (e.g. the empty between the last two // characters) for any time it sees \r\n. The final g says to do it globally, or in other words replace all the times in that field it sees that string.

You can test by creating a search and doing a

... | rex field=myfield mode=sed "s/\\r\\n//g"

And fiddle with that until you get it right. The put that in your sedcmd.

View solution in original post

Richfez
SplunkTrust
SplunkTrust

To match \r or \n you need to escape the backslash. So, something like

SEDCMD-rem-backslashrn = s/\\r\\n//g

Should substitute nothing (e.g. the empty between the last two // characters) for any time it sees \r\n. The final g says to do it globally, or in other words replace all the times in that field it sees that string.

You can test by creating a search and doing a

... | rex field=myfield mode=sed "s/\\r\\n//g"

And fiddle with that until you get it right. The put that in your sedcmd.

muralianup
Communicator

Thank you. Adding one more backslash did the trick.

rex field=myfield mode=sed "s/\\\r\\\n//g"
0 Karma

woodcock
Esteemed Legend

If you can be much more detailed on a specific example of events in the log, we can probably help you.

0 Karma

muralianup
Communicator

I tried sed for ignoring the\r,\n characters but to no avail. I am trying to extract a field which describes the vulnerability. Here's one of the events.:

2015-10-05T08:49:10+00:00 testserver "MSVULN021","1444049349690","0","LOW","DB vulnerable against CVE-2009-2511","Vulnerabilities","testserer24\MSSQ","testserer24.example.com","MS2008TEST", "\r\n\r\nDatabase is probably vulnerable to a GDI+ PNG Heap Overflow (CVE-2009-2501). Please check if Microsoft patch MS08-062 was applied properly. \r\nCVE: CVE-2009-2501 "

This new field to be extracted, lets say "description", which I was able to extract using the regex. But, breaks I am trying to remove using sed doesnt seems to work.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...