Splunk Search
Highlighted

Search-time field extraction with multiple values

Path Finder

I am trying to extract a field from a Windows event which can contain multiple values. At the search line I can do this easily, but I am having trouble setting this up to happen automatically. An example of the event I want to extract from is below. I basically want to extract the SAN name fields.

SAN:DNS=amazonaws.com&DNS=*.amazonaws.com&DNS=*.us-east-1.amazonaws.com&DNS=*.us-west-2.amazonaws.com&DNS=*.us-west-1.amazonaws.com&DNS=*.eu-west-1.amazonaws.com&DNS=*.ap-southeast-1.amazonaws.com&DNS=*.ap-southeast-2.amazonaws.com&DNS=*.ap-northeast-1.amazonaws.com&DNS=*.sa-east-1.amazonaws.com CertificateTemplate:xx UserAgent:Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.59 Safari/537.36 ccm:xx.xx.xx.xx Disposition:    3 SKI:  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx Subject:    CN=amazonaws.com, OU=xxx, O=xxx, L=xxx, S=xxx, C=xx

Using the following search from the Splunk search box everything works fine.

index="CA_Logs" host=ca1 msad_action="approved a certificate request and issued a certificate." | rex max_match=50 "(?ms)(DNS|IPAddress)=(?<san>[\w\.\-\*]+)"

It correctly extracts a field called "san" and finds all of the following SAN's:

amazonaws.com
*.amazonaws.com
*.us-east-1.amazonaws.com
*.us-west-2.amazonaws.com
*.us-west-1.amazonaws.com
*.eu-west-1.amazonaws.com
*.ap-southeast-1.amazonaws.com
*.ap-southeast-2.amazonaws.com
*.ap-northeast-1.amazonaws.com
*.sa-east-1.amazonaws.com

I've tried setting this up via the Splunkweb:

  1. Settings > Fields
  2. Field Extractions

Name: WinEventLog:Security : EXTRACT-CA-SAN-fields
Type: Inline
Extraction/Transform: (?ms)(DNS|IPAddress)=(?[\w.-*]+)

I've tried adding maxmatch=50 to this but it breaks the match as I assume maxmatch=50 becomes part of the regex.

  1. Settings > Fields
  2. Field transformations

Name: CASANMV
Regular Expression: san="(?ms)(DNS|IPAddress)=(?[\w.-*]+)"
or
Regular Expression: (?ms)(DNS|IPAddress)=(?[\w.-*]+)
or
Regular Expression: "(?ms)(DNS|IPAddress)=(?[\w.-*]+)"
Source Key: _raw
or
Source Key: Message
Create multivalued fields: Ticked
Automatically clean field names: Ticked

Via Field Extractions it works but only catches the first instance of SAN=xxxx.

Highlighted

Re: Search-time field extraction with multiple values

Path Finder

I have managed to figure it out. I realised that the field extraction was props.conf and the field transformation was transforms.conf. So I put the regex on field transformation and called it on field extraction as a report. For anyone else who comes across something similar and finds it confusing I did the following.

Splunkweb > Settings > Fields > Field Transformation

Name               : CA_SAN_EXTRACT
Regular Expression : (DNS|IPAddress)=(?<san>[\w\.\-\*]+)
Source Key         : _raw
Create multivalued fields: Ticked
Automatically clean field names: Ticked

Splunkweb > Settings > Fields > Field extractions

Name        : CA-SAN-fields
Apply to    : sourcetype=WinEventLog:Security
Type        : Uses transform
Extraction/Transform: CA_SAN_EXTRACT

Works as expected picking up all the SAN fields.

View solution in original post