Add new field data using Regex

Hello,

I'm trying to do something rather simple by extracting a Microsoft KB from a string (in my case, the summary field), and adding it to a new field called "patch". I have the regex, just not sure what filter to use and the appropriate syntax.

My code:

I'm copying the summary field to a new field called patch, and then attempting to modify the field contents to only contain the result of the regex search.

filter {
  mutate {
gsub => [
  "ip_address", "/32", ""
]
copy => { "summary" => "patch" }
replace => { "patch" => "(KB\d+)" }
  }
}

Here is my source event:

{
                              "os_name" => "Windows Server 2016 Standard Edition",
                             "@version" => "1",
                           "ip_address" => "192.168.65.228",
    "last_assessed_for_vulnerabilities" => 2020-04-09T14:51:53.823Z,
                     "reporting period" => "2020.05",
                              "summary" => "2018-05 Cumulative Update for Windows Server 2016 for x64-based Systems (KB4103723)",
                          "data_source" => "Nexpose",
                           "@timestamp" => 2020-05-05T18:31:04.605Z,
                                "patch" => "2018-05 Cumulative Update for Windows Server 2016 for x64-based Systems (KB4103723)",
                            "host_name" => "epo",
                             "severity" => "Severe",
                             "asset_id" => 1181,
                          "solution_id" => 60397,
                                  "url" => "http://support.microsoft.com/help/4103723"
}

This is what I was hoping to accomplish:

{
                              "os_name" => "Windows Server 2016 Standard Edition",
                             "@version" => "1",
                           "ip_address" => "192.168.65.228",
    "last_assessed_for_vulnerabilities" => 2020-04-09T14:51:53.823Z,
                     "reporting period" => "2020.05",
                              "summary" => "2018-05 Cumulative Update for Windows Server 2016 for x64-based Systems (KB4103723)",
                          "data_source" => "Nexpose",
                           "@timestamp" => 2020-05-05T18:31:04.605Z,
                                "patch" => "KB4103723",
                            "host_name" => "epo",
                             "severity" => "Severe",
                             "asset_id" => 1181,
                          "solution_id" => 60397,
                                  "url" => "http://support.microsoft.com/help/4103723"
}

Thanks!

There are different ways to extract the string.

One option is to use grok.
No need for the copy and replace in the mutate.
Set the tag_on_failure to false if not all the summary fields contain the string.

grok {
	match => {
		"summary" => "\((?<patch>KB[0-9]+)\)$"
	}
        tag_on_failure => false
}

You can test it at https://grokdebug.herokuapp.com/ or in Kibana if you have a basic license:
https://www.elastic.co/guide/en/kibana/current/xpack-grokdebugger.html

Thank you kind sir. I had to tweak the regex a little bit to take into account some additional variations in the message but you certainly put me back onto the right track. Take care.

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.