Re: Field extraction for multiple types of values

srinivasgowda · ‎02-28-2021

Hello all,

I am trying to extract the data from the field evtComponent from the below event, and this has a multiple types of data that is coming in as below.

1) ZENOSS-MIB::evtComponent = STRING: "HostSystem_host-1240" ZENOSS-MIB::evtClass = STRING: "/Status/Ping"

2) ZENOSS-MIB::evtComponent = STRING: "\"London\"" ZENOSS-MIB::evtClass = STRING:

The highlighted fields needs to be extracted, however when I use the below extraction this only satisfies the correct extraction on example 1 but fails to just extract the field from example 2. Can you please suggest.

Below is the extraction that I am using.

ZENOSS-MIB::evtComponent = STRING: \"(?<component>.*)\"\s+ZENOSS-MIB::evtClass\s

Thank you.

srinivasgowda · ‎03-04-2021

This worked. Thank you @gcusello

gcusello · ‎02-28-2021

Hi @srinivasgowda,

you should try to use two regexes:

the first

| rex "evtComponent\s+\=\s+STRING:\s+\"(?<evtComponent>[^\"]+)\"\s+"

that you can test at https://regex101.com/r/Ip8Vj2/1

the second

| rex "evtComponent\s+\=\s+STRING:\s+\"\\\"(?<evtComponent>[^\\]+)"

that you can test at https://regex101.com/r/Ip8Vj2/2

Ciao.

Giuseppe

Field extraction for multiple types of values

field extraction

fields

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases