Splunk Search

parsing multivalue subfields in cisco ise

tfechner
Path Finder

Hi,

we have from a cisco ISE a syslog like this one:

calling-Station-ID=15.15.15.15, NAS-Port-Type=Virtual, Tunnel-Client-Endpoint=(tag=0) 95.90.193.23, cisco-av-pair=mdm-tlv=device-platform=win, cisco-av-pair=mdm-tlv=device-mac=cc-ed-ce-f9-af-47, cisco-av-pair=mdm-tlv=device-platform-version=6.3.9600 , cisco-av-pair=mdm-tlv=device-type=FUJITSU LIFEBOOK E744, cisco-av-pair=mdm-tlv=device-public-mac=ab-bd-ce-f9-af-47, cisco-av-pair=mdm-tlv=ac-user-agent=AnyConnect Windows 4.6.01103, cisco-av-pair=mdm-tlv=device-uid=C3FFF95AFDEE9CBA21839EA8D594D7F87165993CE2C8853A262179F90AC70167,

The key=value extraction works fine. But I have a multi-value field called cisco-av-pair containing these values:
..
mdm-tlv=device-platform-version=6.3.9600
mdm-tlv=device-uid=C3..
..

I would like to have the mdm-tlv prefix cut-off and have the key/value extraction on the subfields. At the end there should be these single-value fields:
device-platform-version , device-uid, device-platform
with the corresponding values.

How is that done in props/transforms?
I know I can write a regex doing this stuff, but a more generic way without explicit naming the fields would be fine.

0 Karma
1 Solution

to4kawa
Ultra Champion
| makeresults
| eval _raw="calling-Station-ID=15.15.15.15, NAS-Port-Type=Virtual, Tunnel-Client-Endpoint=(tag=0) 95.90.193.23, cisco-av-pair=mdm-tlv=device-platform=win, cisco-av-pair=mdm-tlv=device-mac=cc-ed-ce-f9-af-47, cisco-av-pair=mdm-tlv=device-platform-version=6.3.9600 , cisco-av-pair=mdm-tlv=device-type=FUJITSU LIFEBOOK E744, cisco-av-pair=mdm-tlv=device-public-mac=ab-bd-ce-f9-af-47, cisco-av-pair=mdm-tlv=ac-user-agent=AnyConnect Windows 4.6.01103, cisco-av-pair=mdm-tlv=device-uid=C3FFF95AFDEE9CBA21839EA8D594D7F87165993CE2C8853A262179F90AC70167,"
| rex mode=sed "s/cisco-av-pair=mdm-tlv=//g"
| extract pairdelim="," kvdelim="="

props.conf

SEDCMD-trim = s/cisco-av-pair=mdm-tlv=//g

View solution in original post

0 Karma

to4kawa
Ultra Champion
| makeresults
| eval _raw="calling-Station-ID=15.15.15.15, NAS-Port-Type=Virtual, Tunnel-Client-Endpoint=(tag=0) 95.90.193.23, cisco-av-pair=mdm-tlv=device-platform=win, cisco-av-pair=mdm-tlv=device-mac=cc-ed-ce-f9-af-47, cisco-av-pair=mdm-tlv=device-platform-version=6.3.9600 , cisco-av-pair=mdm-tlv=device-type=FUJITSU LIFEBOOK E744, cisco-av-pair=mdm-tlv=device-public-mac=ab-bd-ce-f9-af-47, cisco-av-pair=mdm-tlv=ac-user-agent=AnyConnect Windows 4.6.01103, cisco-av-pair=mdm-tlv=device-uid=C3FFF95AFDEE9CBA21839EA8D594D7F87165993CE2C8853A262179F90AC70167,"
| rex mode=sed "s/cisco-av-pair=mdm-tlv=//g"
| extract pairdelim="," kvdelim="="

props.conf

SEDCMD-trim = s/cisco-av-pair=mdm-tlv=//g
0 Karma

tfechner
Path Finder

ok - this is the easy way - works. will use this.

But the original _raw is altered.
I thought it might be a solution like:
DELIM="cisco-av-pair=mdm-tlv","=",

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...