Splunk Search

How to write the regular expression to extract these fields from my sample data?

kschmeling
New Member

Hello,

I'm trying to create a regex to extract the fields to the follow logs:

Example 1

msg=O equipamento marte (192.168.0.1) recuperou a conectividade SSH suid=7 sname=Script Assíncrono: 10 suser= spid=17025 dst=192.168.0.2 dhost=marte dport=22

Example 2

msg=Sessao iniciada para marte (192.168.0.1) - Usuario Privilegiado TPL - root pelo usuario Usuario Teste (usuario.teste) suid=297 sname=Usuario Teste suser=usuario.teste spid=14410 dst=192.168.0.1 dpt=22 duser=root

I need to extract the fields like that:

Example 1

msg=O equipamento marte (192.168.0.1) recuperou a conectividade SSH
suid=7
sname=Script Assíncrono: 10
suser=
spid=17025
dst=192.168.0.2
dhost=marte
dport=22

Example 2

msg=Sessao iniciada para marte (192.168.0.1) - Usuario Privilegiado TPL - root pelo usuario Usuario Teste (usuario.teste)
suid=297
sname=Usuario Teste
suser=usuario.teste
spid=14410
dst=192.168.0.1
dpt=22
duser=root

I'm using https://regex101.com/ to help me

Any help is appreciated

0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

The examples are little different, which makes finding a common regex string tricky, but I believe this will work.

"msg=(?<msg>.*?) suid=(?<suid>\d+) sname=(?<sname>.*?) suser=(?<suser>.*) spid=(?<spid>\d+) dst=(?<dst>[^ ]+) (dhost=(?<dhost>.*?) dport=(?<dport>\d+))?(dpt=(?<dpt>\d+) duser=(?<duser>.*))?"
---
If this reply helps you, Karma would be appreciated.

View solution in original post

rahulrawlani
Explorer

Hello Friend,

If you want to extract the fields for both the events with one regex, then try using the below regex

.*msg\=(?.*)?suid\=(?\d+)?\ssname\=(?.*)?suser\=(?.*)?\sspid\=(?\d+)\sdst\=(?\d+\.\d+\.\d+\.\d+)\s(?:dhost\=(?\w+)\sdport\=(?\d+)|(?:dpt\=(?\d+)\sduser\=(?\w+)))

Let me know if that works for you.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

The examples are little different, which makes finding a common regex string tricky, but I believe this will work.

"msg=(?<msg>.*?) suid=(?<suid>\d+) sname=(?<sname>.*?) suser=(?<suser>.*) spid=(?<spid>\d+) dst=(?<dst>[^ ]+) (dhost=(?<dhost>.*?) dport=(?<dport>\d+))?(dpt=(?<dpt>\d+) duser=(?<duser>.*))?"
---
If this reply helps you, Karma would be appreciated.

kschmeling
New Member

Perfect, it's working. The trick is this expression:

(dhost=(?<dhost>.*?) dport=(?<dport>\d+))?(dpt=(?<dpt>\d+) duser=(?<duser>.*))?

Thanks a lot!

0 Karma

Richfez
SplunkTrust
SplunkTrust

I am surprised this isn't happening automatically. Under normal circustances, Splunk would find any "key=value" pairs in inputs.

Have you repeated your search in Verbose mode to make sure you can see the fields it's already found?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

I believe the default parser uses space as a delimiter so he'd end up with 'msg=O' and 'msg=Sessao'.

---
If this reply helps you, Karma would be appreciated.
0 Karma

kschmeling
New Member

Yes, Splunk give me this results:

msg=O
msh=Sessao
sname=Script
sname=Usuario

0 Karma

Richfez
SplunkTrust
SplunkTrust

Yes, I realized that would have been the case after I had another cup of coffee and the wonderfully talented richgalloway reminded me of same. 🙂

There should be an answer below - give it a try and if it works for you, please accept it!

Happy Splunking!

-Rich

0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...