Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Field Extraction Using Tranforms Configration

SplunkDash
Motivator
‎11-18-2023 07:11 PM

Hello,

I have some issues to perform field extractions using transform configuration. It's not giving field value pairs as expected. Sample events and configuration files are given below. Some non-uniformities within the events are also marked in Bold. Any recommendations will be highly appreciated. Thank you so much.

My Configuration Files

[mypropfConf]

REPORT-mytranforms=myTransConf

[myTransConf]
REGEX = ([^"]+?):'([^"]+?)'
FORMAT = $1::$2

Sample Events

2023-11-15T18:56:29.098Z OTESTN097MA4515620 TESTuser20248: UserID: '90A', UserType: 'TempEMP', System: 'TEST', UAT: 'UTA-True', EventType: 'TEST', EventID: 'Lookup', Subject: 'A5367817222', Scode: '' EventStatus: 0, TimeStamp: '2023-11-03T15:56:29.099Z', Device: 'OTESTN097MA4513020', Msg: 'lookup ok', var: 'Sec'

2023-11-15T18:56:29.021Z OTESTN097MB7513020 TESTuser20249: UserID: '95B', UserType: 'TempEMP', System: 'TEST', UAT: 'UTA-True', EventType: 'TEST', EventID: 'Lookup', Subject: 'A516670222', Scode: '' EventStatus: 0, TimeStamp: '2023-11-03T15:56:29.099Z', Device: 'OTESTN097MA4513020', Msg: 'lookup ok', var: 'tec'

2023-11-15T18:56:29.009Z OTESTN097MB9513020 TESTuser20248: UserID: '95A', UserType: 'TempEMP', System: 'TEST', UAT: 'UTA-True', EventType: 'TEST', EventID: 'Lookup', Subject: 'A546610222', Scode: '' EventStatus: 0, TimeStamp: '2023-11-03T15:56:29.099Z', Device: 'OTESTN097MA4513020', Msg: 'lookup ok', var: 'test'

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎11-18-2023 10:59 PM

Hi @SplunkDash,

you can use REPORT i you have a list of fields separated by comma or another char.

In your case I'd use a regex in props.conf  like the following

EXTRACT-your_sourcetype = ^(?<timestamp>\d+-\d+-\d+T\d+:\d+:\d+\.\d+\w)\s+(?<host>[^ ]+)\s+(?<user>[^:]+):\s+UserID:\s+\'(?<UserID>[^\']+)\',\s+UserType:\s+\'(?<UserType>[^\']+)\',\s+System:\s+\'(?<System>[^\']+)\',\s+UAT:\s+\'(?<UAT>[^\']+)\',\s+EventType:\s+\'(?<EventType>[^\']+)\',\s+EventID:\s+\'(?<EventID>[^\']+)\',\s+Subject:\s+\'(?<Subject>[^\']+)\',\s+Scode:\s+\'(?<Scode>[^\']*)\'\s+EventStatus:\s+(?<EventStatus>\d*),\s+TimeStamp:\s*\'(?<TimeStamp>[^\']*)\',\s+Device:\s*\'(?<Device>[^\']*)\',\s+Msg:\s*\'(?<Msg>[^\']*)\',\s+var:\s*\'(?<var>[^\']*)\'

You can test the regex at https://regex101.com/r/iQZi9K/1

Ciao.

Guseppe

View solution in original post

Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎11-18-2023 11:56 PM

I'm not sure if there was any modification to the copy-pasted config and/or events but your regex doesn't allow for spaces between the semicolon after the key name and the value.

Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎11-18-2023 10:59 PM

Hi @SplunkDash,

you can use REPORT i you have a list of fields separated by comma or another char.

In your case I'd use a regex in props.conf  like the following

EXTRACT-your_sourcetype = ^(?<timestamp>\d+-\d+-\d+T\d+:\d+:\d+\.\d+\w)\s+(?<host>[^ ]+)\s+(?<user>[^:]+):\s+UserID:\s+\'(?<UserID>[^\']+)\',\s+UserType:\s+\'(?<UserType>[^\']+)\',\s+System:\s+\'(?<System>[^\']+)\',\s+UAT:\s+\'(?<UAT>[^\']+)\',\s+EventType:\s+\'(?<EventType>[^\']+)\',\s+EventID:\s+\'(?<EventID>[^\']+)\',\s+Subject:\s+\'(?<Subject>[^\']+)\',\s+Scode:\s+\'(?<Scode>[^\']*)\'\s+EventStatus:\s+(?<EventStatus>\d*),\s+TimeStamp:\s*\'(?<TimeStamp>[^\']*)\',\s+Device:\s*\'(?<Device>[^\']*)\',\s+Msg:\s*\'(?<Msg>[^\']*)\',\s+var:\s*\'(?<var>[^\']*)\'

You can test the regex at https://regex101.com/r/iQZi9K/1

Ciao.

Guseppe

Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...