Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to use field transformations in a splunk search instead of transforms.conf ?

pavanae
Builder
‎05-22-2019 06:53 AM

I have the following stanza on the transforms.conf which actually splits commands separated by characters like |, &, ; etc. and extracts arguments in a separate field

[split_and_extract_unix_commands]
SOURCE_KEY = activity
REGEX =((?<prefix>[^|&#; ]*\/)?(?<command>[^|&#; ]+)( *(?<arguments>[^&|#;]*(-exec)|[^&|#;]*))?)
MV_ADD = TRUE

And I have the field extraction for "activity" in props.conf as follows 

[syslog]
EXTRACT-syslog_username_command_sudo = (sudo|dzdo).* (?<username>[^\s]+) :.*USER=(?<target_account>\S+).*COMMAND=(?<activity>.+)

This actually works well and splits the values of activity field into command and arguments

Now how can I implement the same on a search query and create the fields "command" and "arguments" instead of creating those field extractions on transforms.conf

The following the query I came across so far and not sure what's the stanza in rex for creating the fields "command" and "arguments" which actually splits the "command" field by using the transforms.conf stanza. 

sourcetype=syslog
| rex field=_raw "(sudo|dzdo).* (?<username>[^\s]+) :.*USER=(?<target_account>\S+).*COMMAND=(?<activity>.+)"

Any help would be great.

Thanks in Advance.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎05-22-2019 07:37 AM

Try these

 sourcetype=syslog
 | rex field=_raw "(sudo|dzdo).* (?<username>[^\s]+) :.*USER=(?<target_account>\S+).*COMMAND=(?<activity>(?<prefix>[^|&#; ]*\/)?(?<command>[^|&#; ]+)( *(?<arguments>[^&|#;]*(-exec)|[^&|#;]*))?)"

OR

sourcetype=syslog
 | rex field=_raw "(sudo|dzdo).* (?<username>[^\s]+) :.*USER=(?<target_account>\S+).*COMMAND=(?<activity>.+)"
| rex field=activity max_match=0 "((?<prefix>[^|&#; ]*\/)?(?<command>[^|&#; ]+)( *(?<arguments>[^&|#;]*(-exec)|[^&|#;]*))?)"

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎05-22-2019 07:37 AM

Try these

 sourcetype=syslog
 | rex field=_raw "(sudo|dzdo).* (?<username>[^\s]+) :.*USER=(?<target_account>\S+).*COMMAND=(?<activity>(?<prefix>[^|&#; ]*\/)?(?<command>[^|&#; ]+)( *(?<arguments>[^&|#;]*(-exec)|[^&|#;]*))?)"

OR

sourcetype=syslog
 | rex field=_raw "(sudo|dzdo).* (?<username>[^\s]+) :.*USER=(?<target_account>\S+).*COMMAND=(?<activity>.+)"
| rex field=activity max_match=0 "((?<prefix>[^|&#; ]*\/)?(?<command>[^|&#; ]+)( *(?<arguments>[^&|#;]*(-exec)|[^&|#;]*))?)"
0 Karma
Reply
Solved! Jump to solution

pavanae
Builder
‎05-22-2019 10:02 AM

Thank you @ somesoni. That worked perfect.

0 Karma
Reply
Solved! Jump to solution

mydog8it
Builder
‎05-22-2019 07:10 AM

You pretty much have the answer in your transforms. "Your search"|REGEX _raw=((?[^|&#; ]\/)?(?[^|&#; ]+)( *(?[^&|#;](-exec)|[^&|#;]*))?)

0 Karma
Reply
Solved! Jump to solution

pavanae
Builder
‎05-22-2019 07:20 AM

Thanks for your response @mydog8it . It didn't give me what I'm looking for. It did worked without any error but it just getting the timestamp values under both "command" and "arguments" like may under "command" and the rest of time under "arguments" but I'm actually trying break the values of "activity" field into both "command" and "arguments".

I'm not exactly sure how to tell in rex to apply the field extraction for a specific field. Tried the below but got an error. 

 sourcetype=syslog
 | rex field=_raw "(sudo|dzdo).* (?<username>[^\s]+) :.*USER=(?<target_account>\S+).*COMMAND=(?<activity>.+)"
| rex field=_raw "((?<prefix>[^|&#; ]*\/)?(?<command>[^|&#; ]+)( *(?<arguments>[^&|#;]*(-exec)|[^&|#;]*))?)" in activity
| search activity!=null
| table username target_account activity command arguments

error :- Error in 'rex' command: Invalid argument: 'in'

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...