My muilti-line regex won't work after saving it fo...

guarisma · ‎10-14-2016

Hello,

This is my regex, it works well using the rex command on the search bar of my app like this:

index=hpux tag=audit "bin/rm" | rex "(?m)^(?:.)\n^PID:\s+(?P<pid>[\S]+)\n^PPID:\s+(?P<ppid>[\S]+)\n^User\/Grp:\s+\S+((?P<user>[\S]+)\/(?P<group>[\S]+))\n(?:^.\n)+^Return1:\s+(?P<status>[\S]+)\n(?:^.\n)+^\s+given path = \"(?P<command>[\S]+)\"\n(?:^.\n)+^\s+arg\s#\d+\s=\s\"(?P<file>[\S]+)\""

This is my sample event:

Time:                   Fri Oct 14 11:00:00 16 EDT
PID:                    9368
PPID:                   9361
User/Grp:               0/3(root/sys)
Groups:                 3(sys), 0(root), 1(other), 2(bin), 4(adm), 5(daemon), 6(mail), 7(lp), 20(users)
Effective privileges:           "BASIC"
Permitted privileges:           "BASIC"
Retained privileges:            "BASIC"
Audit tag:              0:         0:(system):      (boot)
TTY:                    (none)
Return1:                0
Arg 1 (file info):                      
                    given path = "/usr/bin/rm"
                    inode = 204
                    device = 64, 0x7
                    mode = 0100555
                    owner uid/gid = 2/2
                    type = regular file
Arg 2 (argument list):                  
                    arg #1 = "rm"
                    arg #2 = "/audit/.audit/hplab15.audtrail.20161012_1050_1054.txt_old"
Other (file info):                      
                    inode = -1
--------------------------------------------------------------------

So,
pid=9368
ppid=9361
user=root
group=sys
status=0
command=/usr/bin/rm
file=/audit/.audit/hplab15.audtrail.20161012_1050_1054.txt_old

But when I paste it in a Field Extraction GUI, the preview works, then I save it under my app with Global permissions but my searches won't extract any of the fields.

Am I missing something? This usually works out of the box.

I'm running Splunk 6.4.1
Thanks for any help.

gokadroid · ‎10-16-2016

Try this please as I was able to extract it with this regex and all the fields showed up after extraction:

(?s)PID:\s+(?<pid>[^\D]+).*PPID:\s+(?<ppid>[^\D]+).*User\/Grp:\s+\S+\((?<user>[^\/]+)\/(?<group>[^\)]+)\).*Return1:\s+(?<status>[^\D]+).*given\s+?path\s+?=\s+?\"(?<command>[^\s\"]+).*arg\s+?\#\d\s+?=\s+?\"(?<file>[^\s\"]+).*

If it works, please accept the answer and up vote. Thanks!

guarisma · ‎10-21-2016

Thanks for your help, but I have decided to take another option since this type of log mutates a lot.

I decided to just keep the header part in one Field Extraction:

(?m)^(?:.)\n^PID:\s+(?P[\S]+)\n^PPID:\s+(?P[\S]+)\n^User\/Grp:\s+\S+((?P[\S]+)\/(?P[\S]+))\n

And then make several other Field Extractions for the rest of the commands:

^Return1:\s+(?P[\S]+)\n

^\s+given path = \"(?P[\S]+)\"\n

^\s+arg\s#\d+\s=\s\"(?P[\S]+)\""

Now the next problem I have is that I can have any number of "arg #N" and it would be nice to capture all them dynamically.

Any HP-UX audit log experts out there? 🙂

My muilti-line regex won't work after saving it for field extractions in a HPUX audit log

Introducing the Splunk Community Dashboard Challenge!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...