I am trying to extract a field from a Windows event which can contain multiple values. At the search line I can do this easily, but I am having trouble setting this up to happen automatically. An example of the event I want to extract from is below. I basically want to extract the SAN name fields.
SAN:DNS=amazonaws.com&DNS=*.amazonaws.com&DNS=*.us-east-1.amazonaws.com&DNS=*.us-west-2.amazonaws.com&DNS=*.us-west-1.amazonaws.com&DNS=*.eu-west-1.amazonaws.com&DNS=*.ap-southeast-1.amazonaws.com&DNS=*.ap-southeast-2.amazonaws.com&DNS=*.ap-northeast-1.amazonaws.com&DNS=*.sa-east-1.amazonaws.com CertificateTemplate:xx UserAgent:Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.59 Safari/537.36 ccm:xx.xx.xx.xx Disposition: 3 SKI: xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx Subject: CN=amazonaws.com, OU=xxx, O=xxx, L=xxx, S=xxx, C=xx
Using the following search from the Splunk search box everything works fine.
index="CA_Logs" host=ca1 msad_action="approved a certificate request and issued a certificate." | rex max_match=50 "(?ms)(DNS|IPAddress)=(?<san>[\w\.\-\*]+)"
It correctly extracts a field called "san" and finds all of the following SAN's:
I have managed to figure it out. I realised that the field extraction was props.conf and the field transformation was transforms.conf. So I put the regex on field transformation and called it on field extraction as a report. For anyone else who comes across something similar and finds it confusing I did the following.
Splunkweb > Settings > Fields > Field Transformation
Name : CA_SAN_EXTRACT
Regular Expression : (DNS|IPAddress)=(?<san>[\w\.\-\*]+)
Source Key : _raw
Create multivalued fields: Ticked
Automatically clean field names: Ticked
Splunkweb > Settings > Fields > Field extractions
Name : CA-SAN-fields
Apply to : sourcetype=WinEventLog:Security
Type : Uses transform