How to avoid comma separated delimiter being escap...

mayurr98 · ‎05-04-2023

Hello Splunkers,

I have an event like this:

blocked,Adware,ABCD,test.exe,\\program_files\c\Drivers\,,,Generic PUA JB,,Endpoint Protection

I am extracting fields using comma separator delimiter, so my props.conf and transform.conf is:

transforms.conf

[cs_srctype]
CLEAN_KEYS = 0
DELIMS = ,
FIELDS = action,category,dest,file_name,file_path,severity,severity_id,signature,signature_id,vendor_product

props.conf 

[cs_srctype]
KV_MODE = none
REPORT-cs_srctype = cs_srctype

Now the output that I am getting is :

file_path = \\program_files\c\Drivers\,

severity=

severity_id= Generic PUA GB

signature=

signature_id= Endpoint Protection

vendor_product=

All the fields before file_path are getting extracted properly and after file_path are incorrect because it's adding comma and thus not separating properly. how do I ignore the \, and extract the fields properly.

Thank you in advance

danspav · ‎06-04-2023

Hi @mayurr98,

I tried out a new props that looks like it's getting the fields to ingest correctly -

transforms.conf

[cs_srctype]
CLEAN_KEYS = 0
DELIMS = ,
FIELDS = action,category,dest,file_name,file_path,severity,severity_id,signature,signature_id,vendor_product

props.conf 

[cs_srctype]
KV_MODE = none
REPORT-cs_srctype = cs_srctype
SEDCMD=s/^((?:[^,]+,){4}[^,]+)(?<=\\),/\1\\,/

I've only added one additional line in the props - a sedcmd to add an escape to any trailing slash in the file_path segment.

With that config set up, the data is ingested with the correct vendor_product field:

Cheers,
Daniel

How to avoid comma separated delimiter being escaped by backslash in an event?

field extraction

Build Scalable Security While Moving to Cloud - Guide From Clayton Homes

Mission Control | Explore the latest release of Splunk Mission Control (2.3)

Cloud Platform | Migrating your Splunk Cloud deployment to Python 3.7