Hi All,
i have installed and configured "Cisco AMP for Endpoints" in our search head. Currently, it's forwarding all the logs to an index called "Cisco-AMP". I can see all events coming in. There is a field called "event.computer.user" this store email address of the user. i need to extract just the user name from this field and add it to another field called "User".
The following Regex does that perfectly when i run it on the search bar.
index=amp | rex field=event.computer.user "(?<user>[^@]+)"
But i need this extraction to work permanently. So i created a field extraction by taking the below steps. Then I restarted Splunk services. But i can't see the new field when i search for the Cisco amp events in the search app. Am i doing anything wrong here ?
Settings > Fields > Filed Extraction >
Destination App: Cisco-AMPEvents
Name: User_field_extract
Sourcetype: cisco:amp:event
Type: inline
Extraction and Transform: field=event.computer.user "(?<user>[^@]+)"
App Permission: Global
Thank you in advance.
i think its working now.
Step 1: i have created a regex based field transform with following settings.
Name: field_extraction_for_user
Type: RegEx Based
RegEx:(?[^@]+)
App: Cisco_AMP
Source Key: event.computer.user
Step 2: then i have created a field extraction.
App: Cisco_AMP
Name: User_Extraction
SourceType: Cisco:AMP
Type: Uses transform
Extraction/Transform: "name of the field transform above"
Thank you very much for your help.
i think its working now.
Step 1: i have created a regex based field transform with following settings.
Name: field_extraction_for_user
Type: RegEx Based
RegEx:(?[^@]+)
App: Cisco_AMP
Source Key: event.computer.user
Step 2: then i have created a field extraction.
App: Cisco_AMP
Name: User_Extraction
SourceType: Cisco:AMP
Type: Uses transform
Extraction/Transform: "name of the field transform above"
Thank you very much for your help.
@PanIrosha
Glad to help you.
!!! Happy Splunking !!!
@PanIrosha
Have you tried with comparing with raw?
Can you please try with this?
**Extraction and Transform:** event.computer.user=(?<user>[^@]+)
Note: Here I have assumed that _raw is like below.
event.computer.user=abc@xyz.com
hi @kamlesh_vaghela
Thank you for the quick response.
in the raw log has following
"user": "firstName.LastName@DomainName.com"
Is this a JSON event??
Can you please share sample events?? Replace the sensitive value with dummy one.
below is the sample raw event
{"event": {"event_type": "Threat Detected", "timestamp_nanoseconds": 543000000, "date": "2018-10-29T12:20:53+00:00", "file": {"disposition": "Malicious", "identity": {"md5": "44d88612fea8a8f36de82e1278abb02f", "sha1": "3395856ce81f2b7382dee72602f798b642f14140", "sha256": "275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f"}, "file_name": "f9ab116c-40f5-40db-a566-4d3d948587c3.tmp", "file_path": "\\?\C:\Users\User.Name\Downloads\f9ab116c-40f5-40db-a566-4d3d948587c3.tmp", "parent": {"disposition": "Clean", "identity": {"md5": "f8ba54ad76c8f8ec9f3d639871b30f27", "sha1": "d42ea42b362442299195a82cfb998f10b11af868", "sha256": "c0edc58682b6fa296a439da2320c8bf74d7bf5f8e83446441048687beb60a472"}, "file_name": "chrome.exe", "process_id": 13132}}, "computer": {"links": {"trajectory": "https://api.eu.amp.cisco.com", "computer": "https://api.eu.amp.cisco.com", "group": "https://api.eu.amp.cisco.com"}, "connector_guid": "ec10a6ba-1bf2-42d8-8254-77fbcea54c6a", "active": true, "hostname": "Demo-PC-001", "user": "firstName.LastName@Domain.com", "external_ip": "xxx.xxx.xxx.xxx", "network_addresses": [{"ip": "xxx.xxx.xxx.xxx", "mac": "xx:xx:xx:xx:xx:xx"}, {"ip": "xxx.xxx.xxx.xxx", "mac": "xx:xx:xx:xx:xx:xx"}, {"ip": "xxx.xxx.xxx.xxx", "mac": "xx:xx:xx:xx:xx:xx"}, {"ip": "xxx.xxx.xxx.xxx", "mac": "xx:xx:xx:xx:xx:xx"}]}, "id": 6617752838799884295, "timestamp": 1540815653, "connector_guid": "asas-weuwuey-kjhdfkjaf", "event_type_id": 1090519054, "detection": "Win.Trojan.EICAR-Test-File", "detection_id": "6617752838799884292", "group_guids": ["272362aashasah13276237623jsdhjsdjsh"]}}