- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Search-time field extraction with multiple values
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am trying to extract a field from a Windows event which can contain multiple values. At the search line I can do this easily, but I am having trouble setting this up to happen automatically. An example of the event I want to extract from is below. I basically want to extract the SAN name fields.
SAN:DNS=amazonaws.com&DNS=*.amazonaws.com&DNS=*.us-east-1.amazonaws.com&DNS=*.us-west-2.amazonaws.com&DNS=*.us-west-1.amazonaws.com&DNS=*.eu-west-1.amazonaws.com&DNS=*.ap-southeast-1.amazonaws.com&DNS=*.ap-southeast-2.amazonaws.com&DNS=*.ap-northeast-1.amazonaws.com&DNS=*.sa-east-1.amazonaws.com CertificateTemplate:xx UserAgent:Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.59 Safari/537.36 ccm:xx.xx.xx.xx Disposition: 3 SKI: xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx Subject: CN=amazonaws.com, OU=xxx, O=xxx, L=xxx, S=xxx, C=xx
Using the following search from the Splunk search box everything works fine.
index="CA_Logs" host=ca1 msad_action="approved a certificate request and issued a certificate." | rex max_match=50 "(?ms)(DNS|IPAddress)=(?<san>[\w\.\-\*]+)"
It correctly extracts a field called "san" and finds all of the following SAN's:
amazonaws.com
*.amazonaws.com
*.us-east-1.amazonaws.com
*.us-west-2.amazonaws.com
*.us-west-1.amazonaws.com
*.eu-west-1.amazonaws.com
*.ap-southeast-1.amazonaws.com
*.ap-southeast-2.amazonaws.com
*.ap-northeast-1.amazonaws.com
*.sa-east-1.amazonaws.com
I've tried setting this up via the Splunkweb:
- Settings > Fields
- Field Extractions
Name: WinEventLog:Security : EXTRACT-CA-SAN-fields
Type: Inline
Extraction/Transform: (?ms)(DNS|IPAddress)=(?[\w.-*]+)
I've tried adding max_match=50 to this but it breaks the match as I assume max_match=50 becomes part of the regex.
- Settings > Fields
- Field transformations
Name: CA_SAN_MV
Regular Expression: san="(?ms)(DNS|IPAddress)=(?[\w.-*]+)"
or
Regular Expression: (?ms)(DNS|IPAddress)=(?[\w.-*]+)
or
Regular Expression: "(?ms)(DNS|IPAddress)=(?[\w.-*]+)"
Source Key: _raw
or
Source Key: Message
Create multivalued fields: Ticked
Automatically clean field names: Ticked
Via Field Extractions it works but only catches the first instance of SAN=xxxx.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have managed to figure it out. I realised that the field extraction was props.conf and the field transformation was transforms.conf. So I put the regex on field transformation and called it on field extraction as a report. For anyone else who comes across something similar and finds it confusing I did the following.
Splunkweb > Settings > Fields > Field Transformation
Name : CA_SAN_EXTRACT
Regular Expression : (DNS|IPAddress)=(?<san>[\w\.\-\*]+)
Source Key : _raw
Create multivalued fields: Ticked
Automatically clean field names: Ticked
Splunkweb > Settings > Fields > Field extractions
Name : CA-SAN-fields
Apply to : sourcetype=WinEventLog:Security
Type : Uses transform
Extraction/Transform: CA_SAN_EXTRACT
Works as expected picking up all the SAN fields.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have managed to figure it out. I realised that the field extraction was props.conf and the field transformation was transforms.conf. So I put the regex on field transformation and called it on field extraction as a report. For anyone else who comes across something similar and finds it confusing I did the following.
Splunkweb > Settings > Fields > Field Transformation
Name : CA_SAN_EXTRACT
Regular Expression : (DNS|IPAddress)=(?<san>[\w\.\-\*]+)
Source Key : _raw
Create multivalued fields: Ticked
Automatically clean field names: Ticked
Splunkweb > Settings > Fields > Field extractions
Name : CA-SAN-fields
Apply to : sourcetype=WinEventLog:Security
Type : Uses transform
Extraction/Transform: CA_SAN_EXTRACT
Works as expected picking up all the SAN fields.
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics!
New in Observability Cloud - Explicit Bucket Histograms
