Hi all,
I'm trying to create a search that includes some regex. Ultimately, I'm trying to parse out some information (filename and file hash) from the raw event and show that information in a separate fields on a table. The other fields not mentioned are already parsed out by default; I just need the filename and file hash information to be parsed out as well. When I perform the below search, nothing shows up in the two new fields I created (fname, fileHash).
Could someone help me with my search?
Search Command:
index=antivirus CLF_ReasonCode="virus log" VLF_SecondActionResult="File passed" | rex field=_raw "fileHash= <(?<fileHash>.*)> fname= <(?<fname>.*)>" | table _time cef_name VLF_SecondActionResult fname fileHash
Raw Data:
Dec 24 11:39:47 test.test.com Dec 24 2018 11:39:47 testy-test001.test.test.com CEF:0|Test Test|Control Manager|0.0SP3|AV:File quarantined|Trojan.W77M.POWLOAD.SMNM2|3|deviceExternalId=000 rt=Dec 24 2018 13:51:23 GMT+00:00 cntLabel=AggregatedCount cnt=1 dhost=TEST000 act=File quarantined cn1Label=VLF_PatternNumber cn1=0000000 cn2Label=VLF_SecondAction cn2=1 cs1Label=VLF_FunctionCode cs1=Real-time Scan cs2Label=VLF_EngineVersion cs2=0.000.0000 cs3Label=CLF_ProductVersion cs3=0.0 cs4Label=CLF_ReasonCode cs4=virus log cs5Label=VLF_FirstActionResult cs5=File quarantined cs6Label=VLF_SecondActionResult cs6=N/A cat=000 dvchost=TEST-TEST cn3Label=CLF_ServerityCode cn3=2 fname=test.doc filePath=C:\\Users\\u000000\\Downloads\\ dst=255.255.2.255 fileHash=dddd0c5df90e20af01f7ad1e73ea17777d87777b deviceFacility=ExecScan
I used these guides as references:
https://docs.splunk.com/Documentation/Splunk/7.2.3/SearchReference/Rex
http://blog.hortonew.com/how-to-use-regex-rex-in-splunk
| rex field=_raw ".*?fname\=(?<fname>\S+).*?fileHash\=(?<fileHash>\S+)\s+"
| table _raw fname fileHash
Hi @selinakvle
Try this
| rex field=_raw "fname=(?P<filename>.+[\s])filePath.*fileHash=(?P<fileHash>.*)device"
| rex field=_raw ".*?fname\=(?<fname>\S+).*?fileHash\=(?<fileHash>\S+)\s+"
| table _raw fname fileHash
That was quick. Thank you 🙂