KV Filter Regex


I have the following message getting from Qradar: ( I have changed some things like ID, logon etc...)

A network share object was accessed.   Subject:  Security ID:  ELK\\test-test$  Account Name:  test-test$  Account Domain:  ELASTIC  Logon ID: xxxxxx  Network Information:   Object Type:  File  Source Address:  Source Port:  88888   Share Information:  Share Name:  \\\\*\\IPC$  Share Path:    Access Request Information:  Access Mask:  0x1  Accesses:  ReadData (or ListDirectory)        

I wanted to use KV Filter to see create Key values automatically

This is my config for key Value

  source => "Message"
  field_split => "((?:[A-Za-z0-9_-] ?)+): +([^ ]*?)  " value_split => ":"

Unfortunately it doesn't set write it in the index.

I tested my Regex. It should be working.

Now i've tried the new feature Ingest Node Pipelines. There i can see an error with no information.

Can anybody help me?

At a minimum, this should be changed to use field_split_pattern instead of field_split.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.