Splunk Search

Can you help me with a regex field extraction?

PanIrosha
Path Finder

Hi All,

i have installed and configured "Cisco AMP for Endpoints" in our search head. Currently, it's forwarding all the logs to an index called "Cisco-AMP". I can see all events coming in. There is a field called "event.computer.user" this store email address of the user. i need to extract just the user name from this field and add it to another field called "User".

The following Regex does that perfectly when i run it on the search bar.

index=amp | rex field=event.computer.user "(?<user>[^@]+)"

But i need this extraction to work permanently. So i created a field extraction by taking the below steps. Then I restarted Splunk services. But i can't see the new field when i search for the Cisco amp events in the search app. Am i doing anything wrong here ?

Settings > Fields > Filed Extraction >

Destination App: Cisco-AMPEvents
Name: User_field_extract
Sourcetype: cisco:amp:event
Type: inline
Extraction and Transform: field=event.computer.user "(?<user>[^@]+)"
App Permission: Global

Thank you in advance.

0 Karma
1 Solution

PanIrosha
Path Finder

hi @kamlesh_vaghela

i think its working now.

Step 1: i have created a regex based field transform with following settings.

Name: field_extraction_for_user
Type: RegEx Based
RegEx:(?[^@]+)
App: Cisco_AMP
Source Key: event.computer.user

Step 2: then i have created a field extraction.

App: Cisco_AMP
Name: User_Extraction
SourceType: Cisco:AMP
Type: Uses transform
Extraction/Transform: "name of the field transform above"

Thank you very much for your help.

View solution in original post

0 Karma

PanIrosha
Path Finder

hi @kamlesh_vaghela

i think its working now.

Step 1: i have created a regex based field transform with following settings.

Name: field_extraction_for_user
Type: RegEx Based
RegEx:(?[^@]+)
App: Cisco_AMP
Source Key: event.computer.user

Step 2: then i have created a field extraction.

App: Cisco_AMP
Name: User_Extraction
SourceType: Cisco:AMP
Type: Uses transform
Extraction/Transform: "name of the field transform above"

Thank you very much for your help.

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@PanIrosha

Glad to help you.

!!! Happy Splunking !!!

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@PanIrosha
Have you tried with comparing with raw?

Can you please try with this?

**Extraction and Transform:**  event.computer.user=(?<user>[^@]+)

Note: Here I have assumed that _raw is like below.

event.computer.user=abc@xyz.com
0 Karma

PanIrosha
Path Finder

hi @kamlesh_vaghela

Thank you for the quick response.

in the raw log has following

"user": "firstName.LastName@DomainName.com"
0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

Is this a JSON event??

Can you please share sample events?? Replace the sensitive value with dummy one.

0 Karma

PanIrosha
Path Finder

@kamlesh_vaghela

below is the sample raw event

{"event": {"event_type": "Threat Detected", "timestamp_nanoseconds": 543000000, "date": "2018-10-29T12:20:53+00:00", "file": {"disposition": "Malicious", "identity": {"md5": "44d88612fea8a8f36de82e1278abb02f", "sha1": "3395856ce81f2b7382dee72602f798b642f14140", "sha256": "275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f"}, "file_name": "f9ab116c-40f5-40db-a566-4d3d948587c3.tmp", "file_path": "\\?\C:\Users\User.Name\Downloads\f9ab116c-40f5-40db-a566-4d3d948587c3.tmp", "parent": {"disposition": "Clean", "identity": {"md5": "f8ba54ad76c8f8ec9f3d639871b30f27", "sha1": "d42ea42b362442299195a82cfb998f10b11af868", "sha256": "c0edc58682b6fa296a439da2320c8bf74d7bf5f8e83446441048687beb60a472"}, "file_name": "chrome.exe", "process_id": 13132}}, "computer": {"links": {"trajectory": "https://api.eu.amp.cisco.com", "computer": "https://api.eu.amp.cisco.com", "group": "https://api.eu.amp.cisco.com"}, "connector_guid": "ec10a6ba-1bf2-42d8-8254-77fbcea54c6a", "active": true, "hostname": "Demo-PC-001", "user": "firstName.LastName@Domain.com", "external_ip": "xxx.xxx.xxx.xxx", "network_addresses": [{"ip": "xxx.xxx.xxx.xxx", "mac": "xx:xx:xx:xx:xx:xx"}, {"ip": "xxx.xxx.xxx.xxx", "mac": "xx:xx:xx:xx:xx:xx"}, {"ip": "xxx.xxx.xxx.xxx", "mac": "xx:xx:xx:xx:xx:xx"}, {"ip": "xxx.xxx.xxx.xxx", "mac": "xx:xx:xx:xx:xx:xx"}]}, "id": 6617752838799884295, "timestamp": 1540815653, "connector_guid": "asas-weuwuey-kjhdfkjaf", "event_type_id": 1090519054, "detection": "Win.Trojan.EICAR-Test-File", "detection_id": "6617752838799884292", "group_guids": ["272362aashasah13276237623jsdhjsdjsh"]}}

0 Karma
Get Updates on the Splunk Community!

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Splunk Education Goes to Washington | Splunk GovSummit 2024

If you’re in the Washington, D.C. area, this is your opportunity to take your career and Splunk skills to the ...