Extracting fields in SPL

[post-views]
November 25, 2024 · 2 min read
Extracting fields in SPL

Sometimes when working with new log sources or unfamiliar event records being shipped to Splunk, you’ll encounter logs with important details that could be more useful if you had them captured in a field.

The entirety of the text in an event can be found in the _raw field but specific details found in the event like IP addresses or account names can be further extracted into their own field if you can create a regular expressions pattern to match them.

Extracted fields can be useful in for correlation for example excluding events with extracted IP address fields from a search if those IP addresses belong to a certain network block. Extraction can be done with the rex command.

If you had a log event with raw text that looked like this for example:

Subject:
    Security ID: NT AUTHORITY/SYSTEM
    Account Name: CONTOSOWORKSTATION$
    Account Domain: CONTOSO
    Logon ID: 0x307

Target Account:
    Security ID: NT AUTHORITY/SYSTEM
    Account Name: CONTOSOWORKSTATION$
    Account Domain: CONTOSO
    Logon ID: 0x307

Process Information:
    Process ID: 0x2a1
    Process Name: lsass.exe

Enabled Privileges:
    -

Disabled Privileges:
    SeAuditPrivilege
    SeAssignPrimaryTokenPrivilege
    SeChangeNotifyPrivilege

You could extract all of the disabled privileges into a `disabled_privs` field with a rex command like this one | rex field=_raw "Subject:[\s\S\t]+(?<disabled_privs>.*)"
every character after “Subject:” followed by spaces, new lines or tabs is matched in the _raw text field is matched and captured in the new field called disabled_privs which would be these values

SeAuditPrivilege
SeAssignPrimaryTokenPrivilege
SeChangeNotifyPrivilege

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts