Splunk Search

Hello everyone, am trying to extract fields from the below syslog events that i'm receiving from Symantec, would you help me extracting it out

aelzain
Engager

<54>Nov 30 15:02:42 SymantecServer SR-SAAP-SEP01: Scan ID: 1448882755,Begin: 2015-11-30 11:47:09,End: 2015-11-30 11:58:44,Completed,Duration (seconds): 695,User1: SYSTEM,User2: SYSTEM,'Scan started on selected drives and folders and all extensions.','Scan Complete: Risks: 0 Scanned: 1472 Files/Folders/Drives Omitted: 0 Trusted Files Skipped: 1465',Command: Not a command scan (),Threats: 0,Infected: 0,Total files: 1472,Omitted: 0,Computer: IBV-HQ-L12,IP Address: 172.18.10.34,Domain: Default,"Group: My Company\Workstations\Information Technology\",Server: SR-SAAP-SEP01

<54>Nov 30 15:00:42 SymantecServer SR-SAAP-SEP01: Scan ID: 1448884513,Begin: 2015-11-30 11:55:45,End: ,Started,Duration (seconds): 0,User1: z.Zomoniem,User2: ,'Scan started on selected drives and folders and all extensions.',,Command: Not a command scan (),Threats: 0,Infected: 0,Total files: 0,Omitted: 0,Computer: MLK-HQ-324,IP Address: 172.18.3.65,Domain: Default,Group: My Company\Workstations,Server: SR-SAAP-SEP01

am trying to create different types of reports that showing the the threat that I may face from viruses and not up to date machines, but the issue is that the event locks mess rather than that am not familiar with rex and regex commands and syntax.

0 Karma
1 Solution

sundareshr
Legend

Have you tried adding | extract pairdelim="," kvdelim=":" to your search? You should also consider adding kv rex to your conf fileds

If those two are not an option and you must use rex, this should work

.*SymantecServer\s(?<server_name>[^:]+):[^:]+:\s(?<scan_id>\d+),[^\d]+(?<begin>[^,]+),[^\s]+\s(?<end>[^,]+)?,(?<status>\w+),[^:]+:\s(?<duration>\d+),[^\s]+\s(?<user1>[^,]+),[^:]+:\s(?<user2>[^,]+)?(.*)Command:\s(?<command>[^,]+).*Total files:\s(?<total_files>\d+),[^:]+:\s(?<omitted>\d+),[^:]+:\s(?<computer>[^,]+),[^:]+:\s(?<ip>[^,]+).*Server:\s(?<server>.*)

This will extract the fields that are in bold in your question

View solution in original post

sundareshr
Legend

Have you tried adding | extract pairdelim="," kvdelim=":" to your search? You should also consider adding kv rex to your conf fileds

If those two are not an option and you must use rex, this should work

.*SymantecServer\s(?<server_name>[^:]+):[^:]+:\s(?<scan_id>\d+),[^\d]+(?<begin>[^,]+),[^\s]+\s(?<end>[^,]+)?,(?<status>\w+),[^:]+:\s(?<duration>\d+),[^\s]+\s(?<user1>[^,]+),[^:]+:\s(?<user2>[^,]+)?(.*)Command:\s(?<command>[^,]+).*Total files:\s(?<total_files>\d+),[^:]+:\s(?<omitted>\d+),[^:]+:\s(?<computer>[^,]+),[^:]+:\s(?<ip>[^,]+).*Server:\s(?<server>.*)

This will extract the fields that are in bold in your question

aelzain
Engager

Thanks @sundareshr, its working now as per your recommended solution,

0 Karma

asimagu
Builder

where are you facing issues when doing the extractions?? are you using the field extractor or building the extractions yourself?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...