Solved: Regex extraction

timbCFCA · ‎09-14-2011

I am attempting to extract key value pairs from a data stream with the following syntax.

Successful Logon:     User Name: user     Domain: domain     Logon ID: (0x0,0x1480338F)     Logon Process: etc     Workstation Name:      Logon GUID: {d660922a-0228-f3f5-0acd-2052d7e03d22}     Caller User Name: -     Caller Domain: -     Caller Logon ID: -     Caller Process ID: -     Transited Services: -     Source Network Address: ...

My transforms.conf contains

[with_colon] 
REGEX = \s\s\s(.*?):\s(.*?)\s\s 
FORMAT = $1::$2 
CLEAN_KEYS = 1 
MV_ADD = 1
REPEAT_MATCH = true

and my props.conf contains

[my_type]
# Derived from windows_snare_syslog
MAX_TIMESTAMP_LOOKAHEAD = 32
TRANSFORMS = syslog-host
REPORT-syslog = syslog-extractions
REPORT-colon = snare_colon
SHOULD_LINEMERGE = False
TIME_FORMAT = %b %d %H:%M:%S

The regular expression works perfectly in my test environment (Notepad++ with the latest regex engine) but not a single new field is extracted. What am I doing wrong?

Ayn · ‎09-14-2011

Looks like a typo in your props.conf? The section in transforms.conf is called with_colon but the transform you're referring to in props.conf is snare_colon.

View solution in original post

Ayn · ‎09-14-2011

Looks like a typo in your props.conf? The section in transforms.conf is called with_colon but the transform you're referring to in props.conf is snare_colon.

timbCFCA · ‎09-14-2011

Ayn.. Thanks so much. That was exactly the problem. Over the course of the implementation I changed the name slightly and hadn't updated it here. I now have a few hundred more fields I don't have to enter by hand.

Regex extraction

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases