Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Search-time field extraction with multiple values

conor_splunk
Path Finder
‎10-23-2014 06:03 PM

I am trying to extract a field from a Windows event which can contain multiple values. At the search line I can do this easily, but I am having trouble setting this up to happen automatically. An example of the event I want to extract from is below. I basically want to extract the SAN name fields.

SAN:DNS=amazonaws.com&DNS=*.amazonaws.com&DNS=*.us-east-1.amazonaws.com&DNS=*.us-west-2.amazonaws.com&DNS=*.us-west-1.amazonaws.com&DNS=*.eu-west-1.amazonaws.com&DNS=*.ap-southeast-1.amazonaws.com&DNS=*.ap-southeast-2.amazonaws.com&DNS=*.ap-northeast-1.amazonaws.com&DNS=*.sa-east-1.amazonaws.com CertificateTemplate:xx UserAgent:Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.59 Safari/537.36 ccm:xx.xx.xx.xx Disposition:    3 SKI:  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx Subject:    CN=amazonaws.com, OU=xxx, O=xxx, L=xxx, S=xxx, C=xx

Using the following search from the Splunk search box everything works fine.

index="CA_Logs" host=ca1 msad_action="approved a certificate request and issued a certificate." | rex max_match=50 "(?ms)(DNS|IPAddress)=(?<san>[\w\.\-\*]+)"

It correctly extracts a field called "san" and finds all of the following SAN's:

amazonaws.com
*.amazonaws.com
*.us-east-1.amazonaws.com
*.us-west-2.amazonaws.com
*.us-west-1.amazonaws.com
*.eu-west-1.amazonaws.com
*.ap-southeast-1.amazonaws.com
*.ap-southeast-2.amazonaws.com
*.ap-northeast-1.amazonaws.com
*.sa-east-1.amazonaws.com

I've tried setting this up via the Splunkweb:

  1. Settings > Fields
  2. Field Extractions

Name: WinEventLog:Security : EXTRACT-CA-SAN-fields
Type: Inline
Extraction/Transform: (?ms)(DNS|IPAddress)=(?[\w.-*]+)

I've tried adding max_match=50 to this but it breaks the match as I assume max_match=50 becomes part of the regex.

  1. Settings > Fields
  2. Field transformations

Name: CA_SAN_MV
Regular Expression: san="(?ms)(DNS|IPAddress)=(?[\w.-*]+)"
or
Regular Expression: (?ms)(DNS|IPAddress)=(?[\w.-*]+)
or
Regular Expression: "(?ms)(DNS|IPAddress)=(?[\w.-*]+)"
Source Key: _raw
or
Source Key: Message
Create multivalued fields: Ticked
Automatically clean field names: Ticked

Via Field Extractions it works but only catches the first instance of SAN=xxxx.

Reply
1 Solution
Solved! Jump to solution
Solution

conor_splunk
Path Finder
‎10-24-2014 02:56 AM

I have managed to figure it out. I realised that the field extraction was props.conf and the field transformation was transforms.conf. So I put the regex on field transformation and called it on field extraction as a report. For anyone else who comes across something similar and finds it confusing I did the following.

Splunkweb > Settings > Fields > Field Transformation

Name               : CA_SAN_EXTRACT
Regular Expression : (DNS|IPAddress)=(?<san>[\w\.\-\*]+)
Source Key         : _raw
Create multivalued fields: Ticked
Automatically clean field names: Ticked

Splunkweb > Settings > Fields > Field extractions

Name        : CA-SAN-fields
Apply to    : sourcetype=WinEventLog:Security
Type        : Uses transform
Extraction/Transform: CA_SAN_EXTRACT

Works as expected picking up all the SAN fields.

View solution in original post

Reply
Solved! Jump to solution
Solution

conor_splunk
Path Finder
‎10-24-2014 02:56 AM

I have managed to figure it out. I realised that the field extraction was props.conf and the field transformation was transforms.conf. So I put the regex on field transformation and called it on field extraction as a report. For anyone else who comes across something similar and finds it confusing I did the following.

Splunkweb > Settings > Fields > Field Transformation

Name               : CA_SAN_EXTRACT
Regular Expression : (DNS|IPAddress)=(?<san>[\w\.\-\*]+)
Source Key         : _raw
Create multivalued fields: Ticked
Automatically clean field names: Ticked

Splunkweb > Settings > Fields > Field extractions

Name        : CA-SAN-fields
Apply to    : sourcetype=WinEventLog:Security
Type        : Uses transform
Extraction/Transform: CA_SAN_EXTRACT

Works as expected picking up all the SAN fields.

Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Enhance Security Operations with Automated Threat Analysis in the Splunk EcosystemAre you leveraging ...

What Is Splunk? Here’s What You Can Do with Splunk

Hey Splunk Community, we know you know Splunk. You likely leverage its unparalleled ability to ingest, index, ...

Level Up Your .conf25: Splunk Arcade Comes to Boston

With .conf25 right around the corner in Boston, there’s a lot to look forward to — inspiring keynotes, ...