Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Why is my field extraction not working properly between two log files?

nickbijmoer
Path Finder
‎10-31-2016 07:20 AM

Hello,

I want to extract a field with the field extractor in Splunk. But when I extract these logs on log 1, I will get my field I want : "HKEY_LOCAL_MACHINE\Security\SAM\Domains\Account"

But on log 2, I won't get the field. How can I fix this?

Log 1: 

2016 Oct 30 19:13:08 (AAV) 145.46.122.14->syscheck-registry
Rule: 596 (level 5) -> 'Registry Integrity Checksum Changed Again (3rd time)'
Integrity checksum changed for: 'HKEY_LOCAL_MACHINE\Security\SAM\Domains\Account'
Old md5sum was: '27511968a811898f0d7f1fed393d31d7'
New md5sum is : '5876c6ae278cce7ff2108d8396e10ddc'
Old sha1sum was: 'd94f9ea544b6b04caabc80d5bbe6b94854ae3406'
New sha1sum is : 'b46d17a3ddc54b5d03464374514398a1835f857e'

Log 2: 

2016 Oct 29 06:53:09 (AAB) 145.46.40.146->syscheck-registry
Rule: 594 (level 5) -> 'Registry Integrity Checksum Changed'
Integrity checksum changed for: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tomcat'
Old md5sum was: '3288a8f072b45b2fa9d879b2ba0fe453'
New md5sum is : 'ff17914ec4722e9b7d3scdb508c5d55d'
Old sha1sum was: '4d6b33e40721s837cd8de090ef0468b6b20a1f3b'
New sha1sum is : '270dca37b8681ca739de4493b704333fb3be86a3'
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gokadroid
Motivator
‎10-31-2016 08:55 PM

Try this in your regex:

yourBaseSearch to return the log event
| rex "Integrity checksum changed for:\s\'(?<pathName>[^\']+)\'"
| use pathname field

Use the same regex Integrity checksum changed for:\s\'(?<pathName>[^\']+)\' in your extractor and it should work.

See the regex tested here.

View solution in original post

Reply
Solved! Jump to solution
Solution

gokadroid
Motivator
‎10-31-2016 08:55 PM

Try this in your regex:

yourBaseSearch to return the log event
| rex "Integrity checksum changed for:\s\'(?<pathName>[^\']+)\'"
| use pathname field

Use the same regex Integrity checksum changed for:\s\'(?<pathName>[^\']+)\' in your extractor and it should work.

See the regex tested here.

Reply
Solved! Jump to solution

nickbijmoer
Path Finder
‎11-01-2016 02:16 AM

Thank you 🙂

0 Karma
Reply
Solved! Jump to solution

lakromani
Builder
‎11-01-2016 03:14 AM

I am not sure you need to escape the 'within the square brackets, so this should work too: [^']+

0 Karma
Reply
Solved! Jump to solution

lukejadamec
Super Champion
‎10-31-2016 09:25 AM

What method (delims or regex) are you using in the extractor, what are the settings (what does it look like in props/transforms), and what does the _raw data look like?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...