Splunk Search

Search-time field extraction with multiple values

conor_splunk
Path Finder

I am trying to extract a field from a Windows event which can contain multiple values. At the search line I can do this easily, but I am having trouble setting this up to happen automatically. An example of the event I want to extract from is below. I basically want to extract the SAN name fields.

SAN:DNS=amazonaws.com&DNS=*.amazonaws.com&DNS=*.us-east-1.amazonaws.com&DNS=*.us-west-2.amazonaws.com&DNS=*.us-west-1.amazonaws.com&DNS=*.eu-west-1.amazonaws.com&DNS=*.ap-southeast-1.amazonaws.com&DNS=*.ap-southeast-2.amazonaws.com&DNS=*.ap-northeast-1.amazonaws.com&DNS=*.sa-east-1.amazonaws.com CertificateTemplate:xx UserAgent:Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.59 Safari/537.36 ccm:xx.xx.xx.xx Disposition:    3 SKI:  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx Subject:    CN=amazonaws.com, OU=xxx, O=xxx, L=xxx, S=xxx, C=xx

Using the following search from the Splunk search box everything works fine.

index="CA_Logs" host=ca1 msad_action="approved a certificate request and issued a certificate." | rex max_match=50 "(?ms)(DNS|IPAddress)=(?<san>[\w\.\-\*]+)"

It correctly extracts a field called "san" and finds all of the following SAN's:

amazonaws.com
*.amazonaws.com
*.us-east-1.amazonaws.com
*.us-west-2.amazonaws.com
*.us-west-1.amazonaws.com
*.eu-west-1.amazonaws.com
*.ap-southeast-1.amazonaws.com
*.ap-southeast-2.amazonaws.com
*.ap-northeast-1.amazonaws.com
*.sa-east-1.amazonaws.com

I've tried setting this up via the Splunkweb:

  1. Settings > Fields
  2. Field Extractions

Name: WinEventLog:Security : EXTRACT-CA-SAN-fields
Type: Inline
Extraction/Transform: (?ms)(DNS|IPAddress)=(?[\w.-*]+)

I've tried adding max_match=50 to this but it breaks the match as I assume max_match=50 becomes part of the regex.

  1. Settings > Fields
  2. Field transformations

Name: CA_SAN_MV
Regular Expression: san="(?ms)(DNS|IPAddress)=(?[\w.-*]+)"
or
Regular Expression: (?ms)(DNS|IPAddress)=(?[\w.-*]+)
or
Regular Expression: "(?ms)(DNS|IPAddress)=(?[\w.-*]+)"
Source Key: _raw
or
Source Key: Message
Create multivalued fields: Ticked
Automatically clean field names: Ticked

Via Field Extractions it works but only catches the first instance of SAN=xxxx.

1 Solution

conor_splunk
Path Finder

I have managed to figure it out. I realised that the field extraction was props.conf and the field transformation was transforms.conf. So I put the regex on field transformation and called it on field extraction as a report. For anyone else who comes across something similar and finds it confusing I did the following.

Splunkweb > Settings > Fields > Field Transformation

Name               : CA_SAN_EXTRACT
Regular Expression : (DNS|IPAddress)=(?<san>[\w\.\-\*]+)
Source Key         : _raw
Create multivalued fields: Ticked
Automatically clean field names: Ticked

Splunkweb > Settings > Fields > Field extractions

Name        : CA-SAN-fields
Apply to    : sourcetype=WinEventLog:Security
Type        : Uses transform
Extraction/Transform: CA_SAN_EXTRACT

Works as expected picking up all the SAN fields.

View solution in original post

conor_splunk
Path Finder

I have managed to figure it out. I realised that the field extraction was props.conf and the field transformation was transforms.conf. So I put the regex on field transformation and called it on field extraction as a report. For anyone else who comes across something similar and finds it confusing I did the following.

Splunkweb > Settings > Fields > Field Transformation

Name               : CA_SAN_EXTRACT
Regular Expression : (DNS|IPAddress)=(?<san>[\w\.\-\*]+)
Source Key         : _raw
Create multivalued fields: Ticked
Automatically clean field names: Ticked

Splunkweb > Settings > Fields > Field extractions

Name        : CA-SAN-fields
Apply to    : sourcetype=WinEventLog:Security
Type        : Uses transform
Extraction/Transform: CA_SAN_EXTRACT

Works as expected picking up all the SAN fields.

Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Get Agentic with Splunk Lantern: Connect to Cisco Cloud Control, Transform ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...

July Community Events: Master ITSI 5.0 & Automate Splunk

Struggling with alert fatigue or feeling like you're spending more time on infrastructure maintenance than ...

New Release of Federated Search: Bringing Splunk Analytics to More of Your Data

Organizations today are generating more data than ever and storing it across cloud object stores, data lakes, ...