- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Where to Start - Field Extraction
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi guys,
I've got a script uploading html files into Splunk. This uses IOC to check which hosts are infected and by what malware. What the malware changes and so on. I have one particular file which has the name of the Malware, the hash, a description and even the files changed. Added with the IP address of the host, it has everything.
My question is though, how do I tell splunk where to find the name of the malware and where the hash is. Bearing in mind that the name location will stay the same but the name will differ depending on the malware found.
I need this so as to have counters and timecharts of which host is infected by what.
Sample File:
xmlns:ioc="http://schemas.mandiant.com/2010/ioc" id="openioc">
<div id="openioc-head">
<div id="openioc-logo"></div>
<div id="openioc-title">
<h1>
ZeroAccess/Siref.P</h1>
<h4>0d0a744b-f7bf-453d-9105-5662bc27086e</h4>
</div>
</div>
<div id="openioc-main">
Show all 115 lines
host=192.168.89.137
I need to tell Splunk that in indexes with xmlns:ioc have the malware title in h1 and the hash in h4
Thanks for your help
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try
(?i)<h1>(?P<dd>[^<]+)
and
(?i)<h4>(?P<dd>[^<]+)
Where "dd" is going to be what you want to call the field extraction. Use FIELDNAME if you are using the interactive field extractor. Then name it when you save.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try
(?i)<h1>(?P<dd>[^<]+)
and
(?i)<h4>(?P<dd>[^<]+)
Where "dd" is going to be what you want to call the field extraction. Use FIELDNAME if you are using the interactive field extractor. Then name it when you save.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
regex is painful for me as well. Try the interactive field extractor or the | erex command. Much easier.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks that was perfect, I'm still trying to get around regex 😛
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the help, I'm away for the week so I'll try it when I get back.
Detecting Remote Code Executions With the Splunk Threat Research Team
Observability | Use Synthetic Monitoring for Website Metadata Verification
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
