Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

what's the best way to create a table of the app name, found data, and log snippet

llh
New Member
‎08-23-2024 03:22 PM

requirements:
find and save sensitive data fields from logs
Save log snippet around sensitive data field
Remove duplicates for mule apps and sensitive data field
Create table showing mule app name, sensitive data, and log snippet

is there a way to improve the search query so I don't have to duplicate the rex commands every time I need to add a new sensitive data value?

(app_name is an existing custom field)

index="prod"  |rex field=_raw (?i)(?<birthDate>(birthDate))|rex field=_raw (?i)(?<dob>(dob)) |rex field=_raw (?i)(?<birthday>(birthday)) |rex field=_raw (?i)(?<birthDateLog>(birthDate).*?\w\W) |rex field=_raw (?i)(?<dobLog>(dob).*?\w\W) |rex field=_raw (?i)(?<birthdayLog>(birthday).*?\w\W)|eval SENSITIVE_DATA= mvappend(birthDate,dob,birthday) |eval SENSITIVE_DATA_LOWER=lower(SENSITIVE_DATA) | dedup app_name SENSITIVE_DATA_LOWER |eval SENSITIVE_DATA_LOG=mvappend(birthDateLog,dobLog,birthdayLog) |stats list(SENSITIVE_DATA_LOG) as SENSITIVE_DATA_LOG list(SENSITIVE_DATA_LOWER) as SENSITIVE_DATA_LOWER by app_name | table app_name SENSITIVE_DATA_LOWER SENSITIVE_DATA_LOG

 

example output:

app_nameSENSITIVE_DATA_LOWERSENSITIVE_DATA_LOG
s-api

dob

birthdate

dob: 01/01/2024

birthdate:  09-09-1999

p-apibirthdaybirthday: August 23, 2024
Labels (2)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎08-23-2024 03:55 PM

Well, you can try to make a compound regex containing some alternative branches.

Also you seem to have some XML-like structure there. If it's a valid XML, why not just parse the XML into fields and check for existence of specific fields?

I'm also not sure about the rest of the search but honestly speaking it's too late and I'm too tired at the moment to look into it.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...