Add new field data using Regex

JeremyP · May 5, 2020, 6:35pm

Hello,

I'm trying to do something rather simple by extracting a Microsoft KB from a string (in my case, the summary field), and adding it to a new field called "patch". I have the regex, just not sure what filter to use and the appropriate syntax.

My code:

I'm copying the summary field to a new field called patch, and then attempting to modify the field contents to only contain the result of the regex search.

filter {
  mutate {
gsub => [
  "ip_address", "/32", ""
]
copy => { "summary" => "patch" }
replace => { "patch" => "(KB\d+)" }
  }
}

Here is my source event:

{
                              "os_name" => "Windows Server 2016 Standard Edition",
                             "@version" => "1",
                           "ip_address" => "192.168.65.228",
    "last_assessed_for_vulnerabilities" => 2020-04-09T14:51:53.823Z,
                     "reporting period" => "2020.05",
                              "summary" => "2018-05 Cumulative Update for Windows Server 2016 for x64-based Systems (KB4103723)",
                          "data_source" => "Nexpose",
                           "@timestamp" => 2020-05-05T18:31:04.605Z,
                                "patch" => "2018-05 Cumulative Update for Windows Server 2016 for x64-based Systems (KB4103723)",
                            "host_name" => "epo",
                             "severity" => "Severe",
                             "asset_id" => 1181,
                          "solution_id" => 60397,
                                  "url" => "http://support.microsoft.com/help/4103723"
}

This is what I was hoping to accomplish:

{
                              "os_name" => "Windows Server 2016 Standard Edition",
                             "@version" => "1",
                           "ip_address" => "192.168.65.228",
    "last_assessed_for_vulnerabilities" => 2020-04-09T14:51:53.823Z,
                     "reporting period" => "2020.05",
                              "summary" => "2018-05 Cumulative Update for Windows Server 2016 for x64-based Systems (KB4103723)",
                          "data_source" => "Nexpose",
                           "@timestamp" => 2020-05-05T18:31:04.605Z,
                                "patch" => "KB4103723",
                            "host_name" => "epo",
                             "severity" => "Severe",
                             "asset_id" => 1181,
                          "solution_id" => 60397,
                                  "url" => "http://support.microsoft.com/help/4103723"
}

Thanks!

Luca_Belluccini · May 5, 2020, 7:07pm

There are different ways to extract the string.

One option is to use grok.
No need for the copy and replace in the mutate.
Set the tag_on_failure to false if not all the summary fields contain the string.

grok {
	match => {
		"summary" => "\((?<patch>KB[0-9]+)\)$"
	}
        tag_on_failure => false
}

You can test it at https://grokdebug.herokuapp.com/ or in Kibana if you have a basic license:
https://www.elastic.co/guide/en/kibana/current/xpack-grokdebugger.html

JeremyP · May 7, 2020, 1:26am

Thank you kind sir. I had to tweak the regex a little bit to take into account some additional variations in the message but you certainly put me back onto the right track. Take care.

system · June 4, 2020, 1:26am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Add a new field based on a regex capturing group Logstash	2	6506	July 6, 2017
Create a new field using Regular Expressions Logstash	3	5382	August 7, 2018
Add a field starting from a substring of the file name Logstash	3	376	April 12, 2021
Logstash: If message contains regex add field Logstash	1	7638	June 20, 2017
Can not add a new field using if filter and add_field Logstash	6	456	July 27, 2020

Add new field data using Regex

Related topics