Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Search-time field extraction with multiple values

conor_splunk
Path Finder
‎10-23-2014 06:03 PM

I am trying to extract a field from a Windows event which can contain multiple values. At the search line I can do this easily, but I am having trouble setting this up to happen automatically. An example of the event I want to extract from is below. I basically want to extract the SAN name fields.

SAN:DNS=amazonaws.com&DNS=*.amazonaws.com&DNS=*.us-east-1.amazonaws.com&DNS=*.us-west-2.amazonaws.com&DNS=*.us-west-1.amazonaws.com&DNS=*.eu-west-1.amazonaws.com&DNS=*.ap-southeast-1.amazonaws.com&DNS=*.ap-southeast-2.amazonaws.com&DNS=*.ap-northeast-1.amazonaws.com&DNS=*.sa-east-1.amazonaws.com CertificateTemplate:xx UserAgent:Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.59 Safari/537.36 ccm:xx.xx.xx.xx Disposition:    3 SKI:  xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx Subject:    CN=amazonaws.com, OU=xxx, O=xxx, L=xxx, S=xxx, C=xx

Using the following search from the Splunk search box everything works fine.

index="CA_Logs" host=ca1 msad_action="approved a certificate request and issued a certificate." | rex max_match=50 "(?ms)(DNS|IPAddress)=(?<san>[\w\.\-\*]+)"

It correctly extracts a field called "san" and finds all of the following SAN's:

amazonaws.com
*.amazonaws.com
*.us-east-1.amazonaws.com
*.us-west-2.amazonaws.com
*.us-west-1.amazonaws.com
*.eu-west-1.amazonaws.com
*.ap-southeast-1.amazonaws.com
*.ap-southeast-2.amazonaws.com
*.ap-northeast-1.amazonaws.com
*.sa-east-1.amazonaws.com

I've tried setting this up via the Splunkweb:

  1. Settings > Fields
  2. Field Extractions

Name: WinEventLog:Security : EXTRACT-CA-SAN-fields
Type: Inline
Extraction/Transform: (?ms)(DNS|IPAddress)=(?[\w.-*]+)

I've tried adding max_match=50 to this but it breaks the match as I assume max_match=50 becomes part of the regex.

  1. Settings > Fields
  2. Field transformations

Name: CA_SAN_MV
Regular Expression: san="(?ms)(DNS|IPAddress)=(?[\w.-*]+)"
or
Regular Expression: (?ms)(DNS|IPAddress)=(?[\w.-*]+)
or
Regular Expression: "(?ms)(DNS|IPAddress)=(?[\w.-*]+)"
Source Key: _raw
or
Source Key: Message
Create multivalued fields: Ticked
Automatically clean field names: Ticked

Via Field Extractions it works but only catches the first instance of SAN=xxxx.

Reply
1 Solution
Solved! Jump to solution
Solution

conor_splunk
Path Finder
‎10-24-2014 02:56 AM

I have managed to figure it out. I realised that the field extraction was props.conf and the field transformation was transforms.conf. So I put the regex on field transformation and called it on field extraction as a report. For anyone else who comes across something similar and finds it confusing I did the following.

Splunkweb > Settings > Fields > Field Transformation

Name               : CA_SAN_EXTRACT
Regular Expression : (DNS|IPAddress)=(?<san>[\w\.\-\*]+)
Source Key         : _raw
Create multivalued fields: Ticked
Automatically clean field names: Ticked

Splunkweb > Settings > Fields > Field extractions

Name        : CA-SAN-fields
Apply to    : sourcetype=WinEventLog:Security
Type        : Uses transform
Extraction/Transform: CA_SAN_EXTRACT

Works as expected picking up all the SAN fields.

View solution in original post

Reply
Solved! Jump to solution
Solution

conor_splunk
Path Finder
‎10-24-2014 02:56 AM

I have managed to figure it out. I realised that the field extraction was props.conf and the field transformation was transforms.conf. So I put the regex on field transformation and called it on field extraction as a report. For anyone else who comes across something similar and finds it confusing I did the following.

Splunkweb > Settings > Fields > Field Transformation

Name               : CA_SAN_EXTRACT
Regular Expression : (DNS|IPAddress)=(?<san>[\w\.\-\*]+)
Source Key         : _raw
Create multivalued fields: Ticked
Automatically clean field names: Ticked

Splunkweb > Settings > Fields > Field extractions

Name        : CA-SAN-fields
Apply to    : sourcetype=WinEventLog:Security
Type        : Uses transform
Extraction/Transform: CA_SAN_EXTRACT

Works as expected picking up all the SAN fields.

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Event Series: Telemetry Pipeline Management

Balancing Scale and Spend: Gaining Control Over High-Volume Metrics in Splunk Observability Cloud As ...

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

As software delivery cycles continue to accelerate, observability shouldn’t be a luxury — it should be a ...