Splunk Search

How to create field from one to many fields of a certain format?

ejwade
Contributor

Here is my data (linux_audit):

type=EXECVE msg=audit(1567181894.530:909): argc=2 a0="cat" a1="audit.log"
type=EXECVE msg=audit(1567181796.532:830): argc=4 a0="sudo" a1="chmod" a2="+x" a3="commandandcontrol.sh"
type=EXECVE msg=audit(1567181863.387:865): argc=1 a0="/usr/bin/hostname"

I'm trying to create a field with a value that is the full command, concatenating the arguments. Here would be the values for this logs:

cat audit.log
sudo chmod -x commandandcontrol.sh
/usr/bin/hostname

The tricky part is creating a field from an unknown number of arguments. Right now, I'm doing rex commands in SPL, but it'd be nice to use an eval or regular expressions to create this field in props/transforms.

Tags (2)
0 Karma

Sukisen1981
Champion

hi @ejwade
Splunk 7.3.1 does allow eval in the props.conf files - https://docs.splunk.com/Documentation/Splunk/7.3.1/Knowledge/Configurecalculatedfieldswithprops.conf
However, I disagree with you on doing this in the conf files. Generally(and there is no official backing to this) you transform/mask/unmask/escape special chars/ have a regex which is frequently needed in the conf files.
As long as you pattern is same you can extract any number of the arguments using 1 regex in splunk web, try this

| rex field=_raw "\"+(?<extrct>.*?)\"" max_match=0
| nomv extrct

I daresay this is not frequently used field overall , considered in the index as a whole.
Interesting fields (default) only comes if it is in >=20% of the data. Think about it

0 Karma

ejwade
Contributor

@sukisen1981

You misunderstood - I wasn't questioning whether or not you can do eval in props. I didn't know about the max_match parameter - that certainly another way to do it. Currently, I'm using the following rex commands in SPL to get the field I want:

| rex field=_raw "a0=\"(?.*)"
| rex field=cmdline mode=sed "s/\"\sa\d=\"?/ /g"
| rex field=cmdline mode=sed "s/\"$//g"

For my use case, I disagree with you regarding conf files. I would still prefer to do this in a conf file, so the field is automatically created when I search. I plan to reference this field in multiple searches, so having these commands across every search does not scale well.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...