Solved: How to edit my regex in props.conf for proper sear...

dkorlat · ‎04-05-2016

I'm trying to extract a field called Item_Name using the file props.conf on the search head. I'm currently using this in the props.conf file which isn't working:

EXTRACT-Item_Name = (?<=Item Name:).(.*?).(?=suid=)

I would like to extract all the texts between Item Name and suid= into a field called Item_Name.

Below is the events

2016-04-05T13:10:12+10:00 AFVWS05 CEF: 0|Thycotic Software|Secret Server|8.9.030008|10040|SECRET - PASSWORD_COPIED_TO_CLIPBOARD|2|msg=[SecretServer] Event: [Secret] Action: [Password Copied to Clipboard] By User: internal.local\\ddonald Item Name: Service Account for SCCM (System Center Configuration Manager) Container Name: Miscellany  suid=14 suser=internal.local\\ddonald cs4=internal.local\\Donald, David cs4Label=suser Display Name src=24.1.0.5 rt=Apr 05 2016 03:10:09 fname=Service Account for SCCM (System Center Configuration Manager) fileType=Secret fileId=345 cs3Label=Folder cs3=Miscellany

Thanks

somesoni2 · ‎04-05-2016

Give this a try

EXTRACT-Item_Name = Item Name:\s+(?<Item_Name>.+)\s+suid=

View solution in original post

somesoni2 · ‎04-05-2016

Give this a try

EXTRACT-Item_Name = Item Name:\s+(?<Item_Name>.+)\s+suid=

How to edit my regex in props.conf for proper search-time field extraction using my sample data?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?