Trying to update field extraction for field "user" in Splunk Add-on for Symantec Endpoint Protection props.conf
Current Configuration is
[symantec:ep:risk:file]
TRANSFORMS-nullqueueheader = sep_file_header
KV_MODE = none
pulldown_type = true
category = Network & Security
description = Symantec Endpoint Protection agent risk events
MAX_TIMESTAMP_LOOKAHEAD = 32
SHOULD_LINEMERGE = false
REPORT-field_extraction_for_agt_risk = field_extraction_for_agt_risk, filename_from_filepath
REPORT-field_extraction_for_agt_risk_signature = field_extraction_for_agt_risk_signature
**Purpose for below "EVAL"s: remove prefix for specific field.**
# Note: (1) the value of the field may contain more than one colons.
# e.g. "Beging Time: 2011-11-11 11:11:11"
# (2) the value of field may be empty string, which should be set to be null.
# e.g. "Domain: "
**For the case: "User Name: user1,user2"**
EVAL-user = nullif(split(trim(replace(user, "[^:]+:\s*(.*)", "\1"),"\"'"),","),"")
Sample Log :
10:26:53,Security risk found,IP Address: ****,Computer name: ****,Source: Real Time Scan,Risk name: WS.Reputation.1,Occurrences: 1,Unavailable,'',Actual action: Deleted,Requested action: Quarantined,Secondary action: Left alone,Event time: 2017-02-15 16:21:29,Inserted: 2017-02-15 16:26:53,End: 2017-02-15 16:21:30,Last update time: 2017-02-15 16:26:53,Domain: ****,Group: My Company,Server: ****,User: "Donald, Duck {ABC}",Source computer: ,Source IP: ,Disposition: Good,Download site: null,Web domain: null,Downloaded by: null,Prevalence: Reputation was not used in this detection.,Confidence: Reputation was not used in this detection.,URL Tracking Status: Off,,First Seen: Reputation was not used in this detection.,Sensitivity: Low,MDS,Application hash: ****,Hash type: SHA1,Company name: ,Application name: ,Application version: ,Application type: -1,File size (bytes): 0,Category set: Malware,Category type: Insight Network Threat
16:26:41,Virus found,IP Address: ****,Computer name: ****,Source: Scheduled Scan,Risk name: W32.SillyFDC,Occurrences: 1,****,'',Actual action: Cleaned by deletion,Requested action: Cleaned,Secondary action: Quarantined,Event time: 2017-02-15 10:25:49,Inserted: 2017-02-15 10:26:31,End: 2017-02-15 10:25:56,Last update time: 2017-02-15 16:26:41,Domain: ****,Group: My Company,Server: ****,User: Donald,Source computer: ,Source IP: ,Disposition: Good,Download site: ,Web domain: ,Downloaded by: c:/windows/explorer.exe,Prevalence: This file has been seen by fewer than 100 Symantec users.,Confidence: There is a lot of evidence that this file is trustworthy.,URL Tracking Status: Off,,First Seen: Symantec has known about this file for more than 1 year.,Sensitivity: ,MDS,Application hash: *****Hash type: SHA2,Company name: ,Application name: Updates.exe,Application version: ,Application type: 127,File size (bytes): 92160,Category set: Malware,Category type: Virus
16:26:41,Virus found,IP Address: ****,Computer name: ****,Source: Scheduled Scan,Risk name: W32.SillyFDC,Occurrences: 1,****,'',Actual action: Cleaned by deletion,Requested action: Cleaned,Secondary action: Quarantined,Event time: 2017-02-15 10:25:49,Inserted: 2017-02-15 10:26:31,End: 2017-02-15 10:25:56,Last update time: 2017-02-15 16:26:41,Domain: ****,Group: My Company,Server: ****,User: 1234567,Source computer: ,Source IP: ,Disposition: Good,Download site: ,Web domain: ,Downloaded by: c:/windows/explorer.exe,Prevalence: This file has been seen by fewer than 100 Symantec users.,Confidence: There is a lot of evidence that this file is trustworthy.,URL Tracking Status: Off,,First Seen: Symantec has known about this file for more than 1 year.,Sensitivity: ,MDS,Application hash: *****Hash type: SHA2,Company name: ,Application name: Updates.exe,Application version: ,Application type: 127,File size (bytes): 92160,Category set: Malware,Category type: Virus
Default configuration works for Users : 123456 and Donald, but it extracts two values for User Donald, Duck{BIS} - user=Donald and user=Duck{BIS}
My requirement is to update Regex to extract all three values and User value shouldn't contain double quotes in it " "
↧