- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Why is my field extraction not working properly be...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
I want to extract a field with the field extractor in Splunk. But when I extract these logs on log 1, I will get my field I want : "HKEY_LOCAL_MACHINE\Security\SAM\Domains\Account"
But on log 2, I won't get the field. How can I fix this?
Log 1:
2016 Oct 30 19:13:08 (AAV) 145.46.122.14->syscheck-registry
Rule: 596 (level 5) -> 'Registry Integrity Checksum Changed Again (3rd time)'
Integrity checksum changed for: 'HKEY_LOCAL_MACHINE\Security\SAM\Domains\Account'
Old md5sum was: '27511968a811898f0d7f1fed393d31d7'
New md5sum is : '5876c6ae278cce7ff2108d8396e10ddc'
Old sha1sum was: 'd94f9ea544b6b04caabc80d5bbe6b94854ae3406'
New sha1sum is : 'b46d17a3ddc54b5d03464374514398a1835f857e'
Log 2:
2016 Oct 29 06:53:09 (AAB) 145.46.40.146->syscheck-registry
Rule: 594 (level 5) -> 'Registry Integrity Checksum Changed'
Integrity checksum changed for: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tomcat'
Old md5sum was: '3288a8f072b45b2fa9d879b2ba0fe453'
New md5sum is : 'ff17914ec4722e9b7d3scdb508c5d55d'
Old sha1sum was: '4d6b33e40721s837cd8de090ef0468b6b20a1f3b'
New sha1sum is : '270dca37b8681ca739de4493b704333fb3be86a3'
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this in your regex:
yourBaseSearch to return the log event
| rex "Integrity checksum changed for:\s\'(?<pathName>[^\']+)\'"
| use pathname field
Use the same regex Integrity checksum changed for:\s\'(?<pathName>[^\']+)\' in your extractor and it should work.
See the regex tested here.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this in your regex:
yourBaseSearch to return the log event
| rex "Integrity checksum changed for:\s\'(?<pathName>[^\']+)\'"
| use pathname field
Use the same regex Integrity checksum changed for:\s\'(?<pathName>[^\']+)\' in your extractor and it should work.
See the regex tested here.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am not sure you need to escape the 'within the square brackets, so this should work too: [^']+
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What method (delims or regex) are you using in the extractor, what are the settings (what does it look like in props/transforms), and what does the _raw data look like?
What’s New in Splunk Enterprise 9.4: Tools for Digital Resilience
Get Schooled with Splunk Education: Explore Our Latest Courses
Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL
