Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Search-time field extraction with multiple values

conor_splunk
Path Finder
‎10-23-2014 06:03 PM

I am trying to extract a field from a Windows event which can contain multiple values. At the search line I can do this easily, but I am having trouble setting this up to happen automatically. An example of the event I want to extract from is below. I basically want to extract the SAN name fields.

SAN:DNS=amazonaws.com&DNS=*.amazonaws.com&DNS=*.us-east-1.amazonaws.com&DNS=*.us-west-2.amazonaws.com&DNS=*.us-west-1.amazonaws.com&DNS=*.eu-west-1.amazonaws.com&DNS=*.ap-southeast-1.amazonaws.com&DNS=*.ap-southeast-2.amazonaws.com&DNS=*.ap-northeast-1.amazonaws.com&DNS=*.sa-east-1.amazonaws.com CertificateTemplate:xx UserAgent:Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.59 Safari/537.36 ccm:xx.xx.xx.xx Disposition:    3 SKI:  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx Subject:    CN=amazonaws.com, OU=xxx, O=xxx, L=xxx, S=xxx, C=xx

Using the following search from the Splunk search box everything works fine.

index="CA_Logs" host=ca1 msad_action="approved a certificate request and issued a certificate." | rex max_match=50 "(?ms)(DNS|IPAddress)=(?<san>[\w\.\-\*]+)"

It correctly extracts a field called "san" and finds all of the following SAN's:

amazonaws.com
*.amazonaws.com
*.us-east-1.amazonaws.com
*.us-west-2.amazonaws.com
*.us-west-1.amazonaws.com
*.eu-west-1.amazonaws.com
*.ap-southeast-1.amazonaws.com
*.ap-southeast-2.amazonaws.com
*.ap-northeast-1.amazonaws.com
*.sa-east-1.amazonaws.com

I've tried setting this up via the Splunkweb:

  1. Settings > Fields
  2. Field Extractions

Name: WinEventLog:Security : EXTRACT-CA-SAN-fields
Type: Inline
Extraction/Transform: (?ms)(DNS|IPAddress)=(?[\w.-*]+)

I've tried adding max_match=50 to this but it breaks the match as I assume max_match=50 becomes part of the regex.

  1. Settings > Fields
  2. Field transformations

Name: CA_SAN_MV
Regular Expression: san="(?ms)(DNS|IPAddress)=(?[\w.-*]+)"
or
Regular Expression: (?ms)(DNS|IPAddress)=(?[\w.-*]+)
or
Regular Expression: "(?ms)(DNS|IPAddress)=(?[\w.-*]+)"
Source Key: _raw
or
Source Key: Message
Create multivalued fields: Ticked
Automatically clean field names: Ticked

Via Field Extractions it works but only catches the first instance of SAN=xxxx.

Reply
1 Solution
Solved! Jump to solution
Solution

conor_splunk
Path Finder
‎10-24-2014 02:56 AM

I have managed to figure it out. I realised that the field extraction was props.conf and the field transformation was transforms.conf. So I put the regex on field transformation and called it on field extraction as a report. For anyone else who comes across something similar and finds it confusing I did the following.

Splunkweb > Settings > Fields > Field Transformation

Name               : CA_SAN_EXTRACT
Regular Expression : (DNS|IPAddress)=(?<san>[\w\.\-\*]+)
Source Key         : _raw
Create multivalued fields: Ticked
Automatically clean field names: Ticked

Splunkweb > Settings > Fields > Field extractions

Name        : CA-SAN-fields
Apply to    : sourcetype=WinEventLog:Security
Type        : Uses transform
Extraction/Transform: CA_SAN_EXTRACT

Works as expected picking up all the SAN fields.

View solution in original post

Reply
Solved! Jump to solution
Solution

conor_splunk
Path Finder
‎10-24-2014 02:56 AM

I have managed to figure it out. I realised that the field extraction was props.conf and the field transformation was transforms.conf. So I put the regex on field transformation and called it on field extraction as a report. For anyone else who comes across something similar and finds it confusing I did the following.

Splunkweb > Settings > Fields > Field Transformation

Name               : CA_SAN_EXTRACT
Regular Expression : (DNS|IPAddress)=(?<san>[\w\.\-\*]+)
Source Key         : _raw
Create multivalued fields: Ticked
Automatically clean field names: Ticked

Splunkweb > Settings > Fields > Field extractions

Name        : CA-SAN-fields
Apply to    : sourcetype=WinEventLog:Security
Type        : Uses transform
Extraction/Transform: CA_SAN_EXTRACT

Works as expected picking up all the SAN fields.

Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...