Splunk Search

How to extract this field?

balu1211
Path Finder

Hi

extract the field

sample data : "tag":AKAMAI/WAF/

Thanks..

Labels (1)
0 Karma

gcusello
Esteemed Legend

Hi @balu1211,

please try this:

| rex "(?ms)\"tag\":\s*(?<tag>[^\n]+)"

that you an test at https://regex101.com/r/3p4M9q/1

Ciao.

Giuseppe

balu1211
Path Finder

Hi @gcusello @yuanliu @ITWhisperer 

my usecase is like the values under ipblock/adaptive should extract under new filed name including  ipblock value as well in that new field name.

 "tag":"IPBLOCK"
"tag":"IPBLOCK/ADAPTIVE/BURST"
"tag":"IPBLOCK/ADAPTIVE/SUMMARY"

Output: under new field name eg. ip_attack

IPBLOCK

BURST

SUMMARY

thanks.

0 Karma

yuanliu
SplunkTrust
SplunkTrust

You can use mvindex to extract the last part of a path.

| eval tag = mvindex(split(tag, "/"), -1)

As @gcusello, you should start a new post when you change substance. 

Tags (2)

gcusello
Esteemed Legend

Hi @balu1211,please try this:

| rex "\"tag\":\"(\w*\/\w*\/)*(?<ip_attack>\w+)\""

that you can test at https://regex101.com/r/dEkQF3/1

Ciao.

Giuseppe

balu1211
Path Finder

...

0 Karma

balu1211
Path Finder

...

0 Karma

gcusello
Esteemed Legend

Hi @balu1211,

I thought that the one you shared was your event!

could you share (in text format not screenshot) the event for field extraction?

Ciao.

Giuseppe

0 Karma

balu1211
Path Finder

....

0 Karma

gcusello
Esteemed Legend

Hi @balu1211,

the regex I shared correctly extract the tag field also with this source, what's the problem?

Ciao.

Giuseppe

0 Karma

balu1211
Path Finder

.............

0 Karma

yuanliu
SplunkTrust
SplunkTrust

@balu1211I am glad you finally started to explain what you are trying to do in the other thread Re: Help with the field extraction and regex. So, based on this, you have a conformant JSON, therefore you must already have a field named tag that is extracted already. Applying the same technique from the other thread,

| rex field=tag mode=sed "s/AKAMAI\/(\w+)\/(.+)/AKAMAI_\1=\"\2\"/"
| rex field=tag mode=sed "s/ASE\/(\w+)\/(.+)/ASE\/\1=\"\2\"/"
| rex field=tag mode=sed "s/(IPBLOCK\/.+)/ip_Attack=\"\1\"/"
| rex field=tag mode=sed "s/(CUSTOM_AKA\/.+)/Custom_Rules=\"\1\"/"
``` convert structured paths to key-value pairs ```
| rename _raw as temp, tag as _raw ``` extract works on _raw only ```
| kv ``` extract key-value pairs ```
| rename temp as _raw

This is the same formula I posted there, except it was never clear that you had a field named "tag" and that the data was somehow related to your initial question.

Tags (1)

gcusello
Esteemed Legend

Hi @balu1211 ,

this is a regex to extract the tag vales:

| rex "\"tag\":\"(?<tag>[^\"]*)"

that you can test at https://regex101.com/r/mGxdvh/1

Anyway, as hinted by @ITWhisperer, I hint to explore the spath command (https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Spath) to extract all the fields from your json file.

Ciao.

Giuseppe

ITWhisperer
SplunkTrust
SplunkTrust

Try something like this

| spath attackData.rules{}.tag output=tag
| mvexpand tag
| rex field=tag "(?<name>.*)/.*?"
| eval name=coalesce(name,tag)
| eval {name}=tag

balu1211
Path Finder

@yuanliu @ITWhisperer @gcusello 

Hi,

Could you help me out to extract these field to make it as a global.

"tag":"IPBLOCK"
"tag":"IPBLOCK/ADAPTIVE/BURST"
"tag":"IPBLOCK/ADAPTIVE/SUMMARY"

I want to extract these marked in red color in one new field name as  ip_block.

 

thanks.

0 Karma

gcusello
Esteemed Legend

Hi @balu1211,

please try this:

| rex "\"tag\":\"(\w*\/\w*\/)*(?<tag>[^\"]+)"

but it's always better to create a new question for a new issue.

Ciao.

Giuseppe

ITWhisperer
SplunkTrust
SplunkTrust

What have you tried so far?

0 Karma

balu1211
Path Finder

Hi My usecase is field extraction not the search pls help in extracting the fields from the events i mentioned above.

Thanks

@ITWhisperer

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

What have you already tried?

0 Karma
Get Updates on the Splunk Community!

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...