KV Filter Regex

lumi · March 9, 2021, 5:53pm

Hello

I have the following message getting from Qradar: ( I have changed some things like ID, logon etc...)

A network share object was accessed.   Subject:  Security ID:  ELK\\test-test$  Account Name:  test-test$  Account Domain:  ELASTIC  Logon ID: xxxxxx  Network Information:   Object Type:  File  Source Address:  8.8.8.8  Source Port:  88888   Share Information:  Share Name:  \\\\*\\IPC$  Share Path:    Access Request Information:  Access Mask:  0x1  Accesses:  ReadData (or ListDirectory)

I wanted to use KV Filter to see create Key values automatically

This is my config for key Value

kv{
  source => "Message"
  field_split => "((?:[A-Za-z0-9_-] ?)+): +([^ ]*?)  " value_split => ":"
        }

Unfortunately it doesn't set write it in the index.

I tested my Regex. It should be working.

Now i've tried the new feature Ingest Node Pipelines. There i can see an error with no information.

Can anybody help me?

Badger · March 9, 2021, 6:13pm

At a minimum, this should be changed to use field_split_pattern instead of field_split.

system · April 6, 2021, 6:14pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.