Hi,
I had the same problem regarding field-extraction. The regular expression is buggy => Sometimes it works and sometimes not, depending of the date (day of the month, single oder double digit).
I changed the regex in transforms.conf like this (I also added new fields for ReputationDV Feed):
[tab_kv_for_tippingpoint]
REGEX = ^\w{3}\s+\d+\s+\d{2}:\d{2}:\d{2}\s+\S+\s+(?:\w{3}\s+\d{2}\s+\d{2}:\d{2}:\d{2}\s+)?([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t\"?\d+:\s+([^\t"]+)\"?\t([^\t]+)\t\"?([^\t"]+)\"?\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]
+)\t([^\t]+)\t\"?([^\t"]+)\"?\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)
FORMAT = vendor_action::$1 severity_id::$2 policy_uuid::$3 signature_uuid::$4 signature::$5 signature_id::$6 app::$7 src_ip::$8 src_port::$9 dest_ip::$10 dest_port::$11 hit_count::$12 dvc_slot::$13 dvc_segment::$14 dvc::$15 category_id::
$16 ioc::$20
[pipe_kv_for_tippingpoint]
REGEX = ^\w{3}\s+\d+\s+\d{2}:\d{2}:\d{2}\s+\S+\s+(?:\w{3}\s+\d{2}\s+\d{2}:\d{2}:\d{2}\s+)?([^|]+)\|([^|]+)\|([^|]+)\|([^|]+)\|\"(?:\d+:\s)?([^|]+)\"\|([^|]+)\|\"?([^|"]+)\"?\|([^|]+)\|([^|]+)\|([^|]+)\|([^|]+)\|([^|]+)\|([^|]+)\|([^|]+)\
|\"?([^|"]+)\"?\|([^|]+)\|([^|]+)\|([^|]+)\|([^|]+)\|([^|]+)\|([^|]+)
FORMAT = vendor_action::$1 severity_id::$2 policy_uuid::$3 signature_uuid::$4 signature::$5 signature_id::$6 app::$7 src_ip::$8 src_port::$9 dest_ip::$10 dest_port::$11 hit_count::$12 dvc_slot::$13 dvc_segment::$14 dvc::$15 category_id::
$16 ips_host::$17 ioc::$20
I hope this helps. Let me know if it works for you.
Regards,
filou
... View more