Splunk Search

How to extract fields from openSCAP using regex?

zsanchez113
Explorer

Hey all,

I'm trying to extract fields from openSCAP logs and I'm having difficulties pulling the CCE/DISA fields, which don't occur in all of the entries. For some reason, they keep getting grouped under the "Rule" field (e.g. Rule's value is "partition_for_tmp Ident CCE-26435-8 Ident DISA FSO RHEL-06-000001"). I've tried several regexes, and none of them have successfully gotten me the fields I want despite working on an online regex tester for PCRE. If I could get some feedback on why I can't get Splunk to extract the fields, I'd appreciate it.
transforms.conf:

[fields_for_scap]
REGEX = Title\n\t(.\*)\nRule\n\t(.\*)\n(?:Ident\n\t(.\*)\n(?:Ident\n\t(.\*)\n)?)?Result\n\t(.\*)
FORMAT = Title::$1 Rule::$2 CCE::$3 DISA::$4 Result::$5

Previously attempted regexes:

REGEX = Title\n\t(.\*)\nRule\n\t(.\*)\n(?:Ident\n\t(.\*)\n)?(?:Ident\n\t(.\*)\n)?Result\n\t(.\*)
REGEX = Title\n\t(.\*)\nRule\n\t(.\*)(?:\nIdent\n\t)?(.\*|)(?:\nIdent\n\t)?(.\*|)\nResult\n\t(.\*)

props.conf:

[scap]
SHOULD_LINEMERGE=false
LINE_BREAKER = (\n\n)
TRUNCATE=1000000
DATETIME_CONFIG = CURRENT
REPORT-fields_for_scap = fields_for_scap

Example events:

Title
  Ensure Solid State Drives Do Not Contribute To Random-Number Entropy Pool
Rule
  kernel_disable_entropy_contribution_for_solid_state_drives
Result
  pass

Title
  Ensure /tmp Located On Separate Partition
Rule
  partition_for_tmp
Ident
  CCE-26435-8
Ident
  DISA FSO RHEL-06-000001
Result
  pass

Edit:

For anybody in the future reading this wondering how I resolved this, I followed the accepted answer and defined the regex a bit more precisely, e.g. using (\w+) for the Rule field instead of (.*) so that matching issues wouldn't occur. When I broke up the regex, I realized that Splunk was having issues matching the non-capturing group (?:Ident), so there may be a problem with that.

0 Karma
1 Solution

FrankVl
Ultra Champion

Maybe just use multiple separate REPORT statements, one for each field, such that you can keep the regexes much simpler and don't have to worry about some fields not always being present.

View solution in original post

cpetterborg
SplunkTrust
SplunkTrust

Try:

REGEX = Title[\r\n]\s*([^\r\n]*)[\s\S]*?Rule[\r\n]*\s*([^\r\n]*)([\r\n]*\s*Ident[\r\n]*\s*([^\r\n]*)[\s\S]*?Ident[\r\n]*\s*([^\r\n]*))?[\s\S]*?Result[\r\n]*\s*([^\r\n]*)
FORMAT = Title::$1 Rule::$2 CCE::$4 DISA::$5 Result::$6

It's fairly efficient.

FrankVl
Ultra Champion

Maybe just use multiple separate REPORT statements, one for each field, such that you can keep the regexes much simpler and don't have to worry about some fields not always being present.

Get Updates on the Splunk Community!

Updated Data Type Articles, Anniversary Celebrations, and More on Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

A Prelude to .conf25: Your Guide to Splunk University

Heading to Boston this September for .conf25? Get a jumpstart by arriving a few days early for Splunk ...

4 Ways the Splunk Community Helps You Prepare for .conf25

.conf25 is right around the corner, and whether you’re a first-time attendee or a seasoned Splunker, the ...