Splunk Search

How to extract fields from openSCAP using regex?

Explorer

Hey all,

I'm trying to extract fields from openSCAP logs and I'm having difficulties pulling the CCE/DISA fields, which don't occur in all of the entries. For some reason, they keep getting grouped under the "Rule" field (e.g. Rule's value is "partition_for_tmp Ident CCE-26435-8 Ident DISA FSO RHEL-06-000001"). I've tried several regexes, and none of them have successfully gotten me the fields I want despite working on an online regex tester for PCRE. If I could get some feedback on why I can't get Splunk to extract the fields, I'd appreciate it.
transforms.conf:

[fields_for_scap]
REGEX = Title\n\t(.\*)\nRule\n\t(.\*)\n(?:Ident\n\t(.\*)\n(?:Ident\n\t(.\*)\n)?)?Result\n\t(.\*)
FORMAT = Title::$1 Rule::$2 CCE::$3 DISA::$4 Result::$5

Previously attempted regexes:

REGEX = Title\n\t(.\*)\nRule\n\t(.\*)\n(?:Ident\n\t(.\*)\n)?(?:Ident\n\t(.\*)\n)?Result\n\t(.\*)
REGEX = Title\n\t(.\*)\nRule\n\t(.\*)(?:\nIdent\n\t)?(.\*|)(?:\nIdent\n\t)?(.\*|)\nResult\n\t(.\*)

props.conf:

[scap]
SHOULD_LINEMERGE=false
LINE_BREAKER = (\n\n)
TRUNCATE=1000000
DATETIME_CONFIG = CURRENT
REPORT-fields_for_scap = fields_for_scap

Example events:

Title
  Ensure Solid State Drives Do Not Contribute To Random-Number Entropy Pool
Rule
  kernel_disable_entropy_contribution_for_solid_state_drives
Result
  pass

Title
  Ensure /tmp Located On Separate Partition
Rule
  partition_for_tmp
Ident
  CCE-26435-8
Ident
  DISA FSO RHEL-06-000001
Result
  pass

Edit:

For anybody in the future reading this wondering how I resolved this, I followed the accepted answer and defined the regex a bit more precisely, e.g. using (\w+) for the Rule field instead of (.*) so that matching issues wouldn't occur. When I broke up the regex, I realized that Splunk was having issues matching the non-capturing group (?:Ident), so there may be a problem with that.

0 Karma
1 Solution

Ultra Champion

Maybe just use multiple separate REPORT statements, one for each field, such that you can keep the regexes much simpler and don't have to worry about some fields not always being present.

View solution in original post

SplunkTrust
SplunkTrust

Try:

REGEX = Title[\r\n]\s*([^\r\n]*)[\s\S]*?Rule[\r\n]*\s*([^\r\n]*)([\r\n]*\s*Ident[\r\n]*\s*([^\r\n]*)[\s\S]*?Ident[\r\n]*\s*([^\r\n]*))?[\s\S]*?Result[\r\n]*\s*([^\r\n]*)
FORMAT = Title::$1 Rule::$2 CCE::$4 DISA::$5 Result::$6

It's fairly efficient.

Ultra Champion

Maybe just use multiple separate REPORT statements, one for each field, such that you can keep the regexes much simpler and don't have to worry about some fields not always being present.

View solution in original post

State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!