Splunk Search

Why is my field extraction not working properly between two log files?

nickbijmoer
Path Finder

Hello,

I want to extract a field with the field extractor in Splunk. But when I extract these logs on log 1, I will get my field I want : "HKEY_LOCAL_MACHINE\Security\SAM\Domains\Account"

But on log 2, I won't get the field. How can I fix this?

Log 1:

2016 Oct 30 19:13:08 (AAV) 145.46.122.14->syscheck-registry
Rule: 596 (level 5) -> 'Registry Integrity Checksum Changed Again (3rd time)'
Integrity checksum changed for: 'HKEY_LOCAL_MACHINE\Security\SAM\Domains\Account'
Old md5sum was: '27511968a811898f0d7f1fed393d31d7'
New md5sum is : '5876c6ae278cce7ff2108d8396e10ddc'
Old sha1sum was: 'd94f9ea544b6b04caabc80d5bbe6b94854ae3406'
New sha1sum is : 'b46d17a3ddc54b5d03464374514398a1835f857e'

Log 2:

2016 Oct 29 06:53:09 (AAB) 145.46.40.146->syscheck-registry
Rule: 594 (level 5) -> 'Registry Integrity Checksum Changed'
Integrity checksum changed for: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tomcat'
Old md5sum was: '3288a8f072b45b2fa9d879b2ba0fe453'
New md5sum is : 'ff17914ec4722e9b7d3scdb508c5d55d'
Old sha1sum was: '4d6b33e40721s837cd8de090ef0468b6b20a1f3b'
New sha1sum is : '270dca37b8681ca739de4493b704333fb3be86a3'
0 Karma
1 Solution

gokadroid
Motivator

Try this in your regex:

yourBaseSearch to return the log event
| rex "Integrity checksum changed for:\s\'(?<pathName>[^\']+)\'"
| use pathname field

Use the same regex Integrity checksum changed for:\s\'(?<pathName>[^\']+)\' in your extractor and it should work.

See the regex tested here.

View solution in original post

gokadroid
Motivator

Try this in your regex:

yourBaseSearch to return the log event
| rex "Integrity checksum changed for:\s\'(?<pathName>[^\']+)\'"
| use pathname field

Use the same regex Integrity checksum changed for:\s\'(?<pathName>[^\']+)\' in your extractor and it should work.

See the regex tested here.

nickbijmoer
Path Finder

Thank you 🙂

0 Karma

lakromani
Builder

I am not sure you need to escape the 'within the square brackets, so this should work too: [^']+

0 Karma

lukejadamec
Super Champion

What method (delims or regex) are you using in the extractor, what are the settings (what does it look like in props/transforms), and what does the _raw data look like?

0 Karma
Get Updates on the Splunk Community!

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...

Security Highlights | January 2023 Newsletter

January 2023 Splunk Security Essentials (SSE) 3.7.0 ReleaseThe free Splunk Security Essentials (SSE) 3.7.0 app ...

Platform Highlights | January 2023 Newsletter

 January 2023Peace on Earth and Peace of Mind With Business ResilienceAll organizations can start the new year ...