Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Using regex in field extraction
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I'm trying to create a field extraction(extension) that goes off an existing field(TargetFilename) but it isn't working. Any ideas? Tried with and without quotes.
For example:
| xmlwineventlog : EXTRACT-extension | Inline | TargetFilename .*\.(?<extension>[\S\s+]*) |
Works here in search:
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you please try this?
props.conf
[My_source_type]
REPORT-extension = extract_extension
.
.
.
transforms.conf
[extract_extension]
REGEX =<Data Name='TargetFilename'>([^.]+)(?<extension>.\w+)<\/Data>
FORMAT = extension:$3
Note: I have tried with below sample events.
TargetFilename=a.txt
TargetFilename=b.txt
TargetFilename="c.txt"
Please share sample events in case this is not working .
Thanks
KV
▄︻̷̿┻̿═━一
If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are you sure TargetFilename is an extracted field? Do you get results from this query?
index=foo | table TargetFilenameIf not then the field is not extracted and you should try a different regex.
Share a sample event and we may be able to help more.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you please try this?
props.conf
[My_source_type]
REPORT-extension = extract_extension
.
.
.
transforms.conf
[extract_extension]
REGEX =<Data Name='TargetFilename'>([^.]+)(?<extension>.\w+)<\/Data>
FORMAT = extension:$3
Note: I have tried with below sample events.
TargetFilename=a.txt
TargetFilename=b.txt
TargetFilename="c.txt"
Please share sample events in case this is not working .
Thanks
KV
▄︻̷̿┻̿═━一
If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So this one for example would extract .temp from the filename EJ5T0WEDS801S4OF2UEY.temp
Thanks a bunch for the help.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes that worked, thank you!
Could you also help me figure out why these won't work?
[extract_file]
REGEX =<Data Name='TargetFilename'>.*\\\\(?<file>[\S\s+]*)<\/Data>
FORMAT = file:$3
[extract_md5]
REGEX =<Data Name='Hashes'>MD5=(?<MD5>[a-fA-F0-9]{1,32}),SHA256=(?<SHA256>[a-zA-Z0-9]{33,64})<\/Data>
FORMAT = md5:$3
[extract_sha256]
REGEX =<Data Name='Hashes'>SHA256=(?<SHA256>[a-zA-Z0-9]{33,64})<\/Data>
FORMAT = sha256:$3
TargetFilename data can use event previously provided.
Example data with Hashes:
<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Sysmon' Guid='{}'/><EventID>1</EventID><Version>5</Version><Level>4</Level><Task>1</Task><Opcode>0</Opcode><Keywords></Keywords><TimeCreated SystemTime='2021-06-09T17:56:51.779403700Z'/><EventRecordID></EventRecordID><Correlation/></Data><Data Name='TerminalSessionId'>0</Data><Data Name='IntegrityLevel'>System</Data><Data Name='Hashes'>MD5=E17F9289D944626831D63E4394C195B3,SHA256=5F403F6BD0F55162B8E98786D1FB3475C0D414AB18128C270119E18AA53E4CDE</Data><Data Name='ParentProcessGuid'>{}</Data><Data Name='ParentProcessId'></Data><Data Name='ParentImage'>C:\Program Files\Confer\RepMgr.exe</Data><Data Name='ParentCommandLine'>"C:\Program Files\Confer\RepMgr.exe"</Data></EventData></Event>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you please try this?
[extract_file]
REGEX =<Data Name='TargetFilename'>([^<]*)
FORMAT = file::$1
[extract_md5]
REGEX =<Data Name='Hashes'>MD5=([^,]+)
FORMAT = md5::$1
[extract_sha256]
REGEX =SHA256=([^<]+)
FORMAT = sha256::$1
Thanks
KV
▄︻̷̿┻̿═━一
If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@TheBravoSierra hello there.
I believe you are having some issues with your regex. Without knowing your events I could suggest something like this.
| rex field=TargetFilename "\.(?<file_extension>[^\.]+$)"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I apologize, the issue is not with the rex command but with adding it to Settings >> Fields >> Field Extractions.
I want it to be automatically extracted so this rex command is not needed in the search bar to populate the field.
Does that help?
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Index This | What travels the world but is also stuck in place?
Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data
Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...
