- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Splunk break a saved search report if a field valu...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunk breaks saved search report if the field value contains a colon. My source record is below.
[2015-07-29 12:43:53,782 user: ataeva | userAsIsCase: AtaevA | action: approved | name: ia_promotions | id: 1370545662068 | assettype: SECArticle | target: 1370539530396 | division_office: OIEA | assetlink: http://wcm.sec.gov/servlet/ContentServer?id=1370545662068&AssetType=SECArticle&cs_environment=standa... | title: Investor Alert: Fraudulent Stock Promotions | Status: Approved | url: http://www.sec.gov/oiea/investor-alerts-bulletins/ia_promotions.html | stageurl: http://wcm.sec.gov/oiea/investor-alerts-bulletins/ia_promotions.html | stagehost: wcm.sec.gov | deliveryhost: www.sec.gov | path: oiea/investor-alerts-bulletins/ia_promotions.html
Take a look at the title: field value. It has colon after Investor-Alert: How to fix this? Do I need to escape it and how?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can fix this one of 2 ways: you can have the person who creates these events encapsulate the title value inside double quotes so that it shows up as ... | title: "Investor Alert: Fraudulent Stock Promotions" | ... OR you can use different approach for KVP extraction (I assume that you are using something like | extract pairdelim="|", kvdelim=":") that is more directly programmable. Try this:
In props.conf:
[mySourceType]
REPORT-search_time_extractions = my_KPVs
In transforms.conf:
[my_KVPs]
FORMAT = $1::$2
MV_ADD = 1
REGEX = ([^:]+):\s+([^\|]*)(?:\s+\||$)
SOURCE_KEY = message
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can fix this one of 2 ways: you can have the person who creates these events encapsulate the title value inside double quotes so that it shows up as ... | title: "Investor Alert: Fraudulent Stock Promotions" | ... OR you can use different approach for KVP extraction (I assume that you are using something like | extract pairdelim="|", kvdelim=":") that is more directly programmable. Try this:
In props.conf:
[mySourceType]
REPORT-search_time_extractions = my_KPVs
In transforms.conf:
[my_KVPs]
FORMAT = $1::$2
MV_ADD = 1
REGEX = ([^:]+):\s+([^\|]*)(?:\s+\||$)
SOURCE_KEY = message
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Woodcock. First option requires a JAR deployment and restart of the server on the splunk forwarder side. Second option requires admin access to update transforms? Am I right? I haven't created any prop extracts for the Title field.
Though based on your inputs, I am thinking adding the following regex to my saved search. Please let me know your thoughts.
Since the data set isn’t large, planing on regular expression to redefine field title. Insert
| rex field=_raw "|\s+title:\s+(?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can add a props entry and a transforms entry from the GUI without full admin privileges depending on how your roles are setup. As far as extracting your Title, you can do this:
| rex field=_raw "\|\s+title:\s+(?<Title>[^\|]*)(?:\s+\||$)"
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
