Splunk Search

How to create a field extraction for a field that contains multiple values?



I have the following event record. I need to create a field extraction on field called openports that is having multiple values highlighted in bold. How do I do this :

2016-12-01T14:34:26.315202-06:00 XXX.xxx.xxx.xxx CounterACT[1762]: admission=New Host; hostname=xxx.xxx.xxx.xxx; ad_displayname=User; banner=Unknown; onsite=Yes; online=Yes; ip=xx.xxx.xx.xx; ad_name=User; latest_ioc_date_sensitivity=Low Severity: #012Medium Severity: #012High Severity: #012Critical Severity: ; atc_scan_details=Scan Start Time: #012Scan Duration (seconds): #012Scan Status: Never scanned#012Scan Errors: ; mac=Unknown; mac_colon=Irresolvable; mac_dash=Irresolvable; group=Windows; nic_vendor=Irresolvable; nic_vendor_string=Irresolvable; netfunction=Windows Machine; openports=22/TCP, 135/TCP, 21/TCP, 80/TCP, 137/UDP, 3389/TCP;

Any help will be greatly appreciated



0 Karma


try if openports is not already extracted:

your query
| rex field=_raw "openports\=(?<openports>[^;]+)"
| rex field=openports max_match=0 "(?<port>[\d]+)\/(?<protocol>[^,\s]+)"
| table values(port)

If it's already extracted then remove the first line | rex field=_raw "openports\=(?<openports>[^;]+)" and if depending on the last character if your earlier extraction caught ; as well then add additional exlusion in [^,\s] to make it [^,;\s]

0 Karma


Thanks gokadroid for you input, could you please help me do an automatic extraction for this field openports

0 Karma
Get Updates on the Splunk Community!

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...