Splunk Search

Using regex to extract multiple values between tags

capilarity
Path Finder

The event contains a 'before' and 'after' list of permissions and users SIDs, I can get splunk to extract the entire 'before' list and the entire 'after' list but only as single events.

but i need to break it down to list  to indivudal Permission and SID

 

This it the entire event:

2020-12-07 22:45:51.123 91046 SUCCESS Domain\User Archive Permissions Archive 133481FD9531D0347BBCE92FFF45B4FE11110000evaultcol <Archive ArchiveID="133481FD9531D0347vaultcol" ArchiveName="Last, First"><OldManualSD>😧(A;;CCDCLCSWRPWPDT;;;S-1-5-21-299502267-1960408961-839522115-10875)(A;;CCSW;;;S-1-5-21-299502267-1960408961-839522115-2406856)(A;;CCSW;;;S-1-5-21-299502267-1960408961-839522115-2406857)</OldManualSD><NewManualSD>😧(A;;CCDCLCSWRPWPDT;;;S-1-5-21-299502267-1960408961-839522115-10875)(A;;CCSW;;;S-1-5-21-299502267-1960408961-839522115-2406856)(A;;CCSW;;;S-1-5-21-299502267-1960408961-839522115-2406857)(A;;CCDCSWRPDT;;;S-1-5-21-299502267-1960408961-839522115-3949157)</NewManualSD></Archive> ServerName

The 'before' list is between the <OldManualSD> and <\OldManualSD> tags, the 'after' list is between the <NewManualSD> and </NewManualSD> tags

The Permissions field is between the ;; and ;;; delimiters and is followed by the SID. There is a varying number of permsissons/SIDs in each event

 

Can get part way there; ex_OldManual_GP and ex_NewManual_GP fields extract from the "Info" field and the contain the before and after, but trying to get a second extraction based off ex_OldManual_GP and ex_NewManual_GP always fails 

 

from the event above, I would like:

OldManual = A;;CCDCLCSWRPWPDT;;;S-1-5-21-299502367-1960408961-839522117-10475
OldManual = A;;CCSW;;;S-1-5-21-299502367-1960408961-839522117-2406456
OldManual = A;;CCSW;;;S-1-5-21-299502367-1960408961-839522117-2406457

NewManual = A;;CCDCLCSWRPWPDT;;;S-1-5-21-299502367-1960408961-839522117-10875
NewManual = A;;CCSW;;;S-1-5-21-299502367-1960408961-839522117-2406456
NewManual = A;;CCSW;;;S-1-5-21-299502367-1960408961-839522117-2406457
NewManua l= A;;CCDCSWRPDT;;;S-1-5-21-299502367-1960408961-839522117-3949147

Any ideas?

 

my transforms.conf file:

[ex_fields_extract]
FIELDS = "AuditDate","AuditID","Status","UserName","CategoryName","SubCategoryName","ObjectID","Vault","info","MachineName"
DELIMS = "\t"

[ex_OldManual_GP]
SOURCE_KEY = info
REGEX=\>(<OldManualSD>D:)((?P<OldManual_GP>.*))(<\/OldManualSD>)

[ex_NewManual_GP]
SOURCE_KEY = info
REGEX=\>(<NewManualSD>D:)((?P<NewManual_GP>.*))(<\/NewManualSD>)

[ex_OldManual_MV]
SOURCE_KEY = OldManual_GP
REGEX=;;(?P<perm>\w+);;;*
MV_ADD=true

[ex_NewManual_MV]
SOURCE_KEY = NewManual_GP
REGEX=(?<NewManual>[^,]+),*
MV_ADD=true

 

my props.conf file

[exlogs]
REPORT-ex_fields = ex_fields_extract
REPORT-mvalue = ex_OldManual_MV, ex_NewManual_MV, ex_NewManual_GP, ex_OldManual_GP
SHOULD_LINEMERGE = false

 

Labels (3)
0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!