Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- parsing multivalue subfields in cisco ise
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
we have from a cisco ISE a syslog like this one:
calling-Station-ID=15.15.15.15, NAS-Port-Type=Virtual, Tunnel-Client-Endpoint=(tag=0) 95.90.193.23, cisco-av-pair=mdm-tlv=device-platform=win, cisco-av-pair=mdm-tlv=device-mac=cc-ed-ce-f9-af-47, cisco-av-pair=mdm-tlv=device-platform-version=6.3.9600 , cisco-av-pair=mdm-tlv=device-type=FUJITSU LIFEBOOK E744, cisco-av-pair=mdm-tlv=device-public-mac=ab-bd-ce-f9-af-47, cisco-av-pair=mdm-tlv=ac-user-agent=AnyConnect Windows 4.6.01103, cisco-av-pair=mdm-tlv=device-uid=C3FFF95AFDEE9CBA21839EA8D594D7F87165993CE2C8853A262179F90AC70167,
The key=value extraction works fine. But I have a multi-value field called cisco-av-pair containing these values:
..
mdm-tlv=device-platform-version=6.3.9600
mdm-tlv=device-uid=C3..
..
I would like to have the mdm-tlv prefix cut-off and have the key/value extraction on the subfields. At the end there should be these single-value fields:
device-platform-version , device-uid, device-platform
with the corresponding values.
How is that done in props/transforms?
I know I can write a regex doing this stuff, but a more generic way without explicit naming the fields would be fine.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
| makeresults
| eval _raw="calling-Station-ID=15.15.15.15, NAS-Port-Type=Virtual, Tunnel-Client-Endpoint=(tag=0) 95.90.193.23, cisco-av-pair=mdm-tlv=device-platform=win, cisco-av-pair=mdm-tlv=device-mac=cc-ed-ce-f9-af-47, cisco-av-pair=mdm-tlv=device-platform-version=6.3.9600 , cisco-av-pair=mdm-tlv=device-type=FUJITSU LIFEBOOK E744, cisco-av-pair=mdm-tlv=device-public-mac=ab-bd-ce-f9-af-47, cisco-av-pair=mdm-tlv=ac-user-agent=AnyConnect Windows 4.6.01103, cisco-av-pair=mdm-tlv=device-uid=C3FFF95AFDEE9CBA21839EA8D594D7F87165993CE2C8853A262179F90AC70167,"
| rex mode=sed "s/cisco-av-pair=mdm-tlv=//g"
| extract pairdelim="," kvdelim="="
props.conf
SEDCMD-trim = s/cisco-av-pair=mdm-tlv=//g
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
| makeresults
| eval _raw="calling-Station-ID=15.15.15.15, NAS-Port-Type=Virtual, Tunnel-Client-Endpoint=(tag=0) 95.90.193.23, cisco-av-pair=mdm-tlv=device-platform=win, cisco-av-pair=mdm-tlv=device-mac=cc-ed-ce-f9-af-47, cisco-av-pair=mdm-tlv=device-platform-version=6.3.9600 , cisco-av-pair=mdm-tlv=device-type=FUJITSU LIFEBOOK E744, cisco-av-pair=mdm-tlv=device-public-mac=ab-bd-ce-f9-af-47, cisco-av-pair=mdm-tlv=ac-user-agent=AnyConnect Windows 4.6.01103, cisco-av-pair=mdm-tlv=device-uid=C3FFF95AFDEE9CBA21839EA8D594D7F87165993CE2C8853A262179F90AC70167,"
| rex mode=sed "s/cisco-av-pair=mdm-tlv=//g"
| extract pairdelim="," kvdelim="="
props.conf
SEDCMD-trim = s/cisco-av-pair=mdm-tlv=//g
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ok - this is the easy way - works. will use this.
But the original _raw is altered.
I thought it might be a solution like:
DELIM="cisco-av-pair=mdm-tlv","=",
Observability Unlocked: Kubernetes Monitoring with Splunk Observability Cloud
Wrapping Up Cybersecurity Awareness Month
🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2
