Splunk Search

How to configure proper line-breaking for logs from McAFee Database Monitoring?

muralianup
Communicator

Have this problem with linebreaks in the logs from McAFee database mon tool. Tried a couple of configs on props.conf, but didn't help. Basically trying on a test machine and no new logs are coming in, so I am looking for a regex/sed for this, something like ignore every occurrence of \r\n pattern.
For example this is one the events:

\r\n\r\nDatabase is probably vulnerable to a GDI+ EMF Integer Overflow (CVE-blah ). Please check if Microsoft patch MS08-052 was applied properly. \r\nCVE: CVE-2008-3012

Any suggestions ?

0 Karma
1 Solution

Richfez
SplunkTrust
SplunkTrust

To match \r or \n you need to escape the backslash. So, something like

SEDCMD-rem-backslashrn = s/\\r\\n//g

Should substitute nothing (e.g. the empty between the last two // characters) for any time it sees \r\n. The final g says to do it globally, or in other words replace all the times in that field it sees that string.

You can test by creating a search and doing a

... | rex field=myfield mode=sed "s/\\r\\n//g"

And fiddle with that until you get it right. The put that in your sedcmd.

View solution in original post

Richfez
SplunkTrust
SplunkTrust

To match \r or \n you need to escape the backslash. So, something like

SEDCMD-rem-backslashrn = s/\\r\\n//g

Should substitute nothing (e.g. the empty between the last two // characters) for any time it sees \r\n. The final g says to do it globally, or in other words replace all the times in that field it sees that string.

You can test by creating a search and doing a

... | rex field=myfield mode=sed "s/\\r\\n//g"

And fiddle with that until you get it right. The put that in your sedcmd.

muralianup
Communicator

Thank you. Adding one more backslash did the trick.

rex field=myfield mode=sed "s/\\\r\\\n//g"
0 Karma

woodcock
Esteemed Legend

If you can be much more detailed on a specific example of events in the log, we can probably help you.

0 Karma

muralianup
Communicator

I tried sed for ignoring the\r,\n characters but to no avail. I am trying to extract a field which describes the vulnerability. Here's one of the events.:

2015-10-05T08:49:10+00:00 testserver "MSVULN021","1444049349690","0","LOW","DB vulnerable against CVE-2009-2511","Vulnerabilities","testserer24\MSSQ","testserer24.example.com","MS2008TEST", "\r\n\r\nDatabase is probably vulnerable to a GDI+ PNG Heap Overflow (CVE-2009-2501). Please check if Microsoft patch MS08-062 was applied properly. \r\nCVE: CVE-2009-2501 "

This new field to be extracted, lets say "description", which I was able to extract using the regex. But, breaks I am trying to remove using sed doesnt seems to work.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...