Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
297 views
in Technique[技术] by (71.8m points)

syslog - How do I extend this RegEx with CEF data with these two KeyValue pairs?

I currently have this regex:

?P<key>w+)=(?P<value>[a-zA-Z0-9-_:/@. ]+

Input row 1: event=1921;json={"source":"A","location":B":"folder":"c:\windows\system32"},"id":2,"address":null,"name":"gone";

Input row 2: dev=b;json={"dest":"123","home":AZ":"loc":"sys"},"ab":9,"home":null,"someKey":"someValue";

It correctly extracts the "event=1921;" but does extract the two other types.

  1. How do I extract the "json={...}" using Key (JSON) and Value?
  2. How do I extract "name":"gone" using Key (Name) and Value (gone)? The solution needs to be dynamic since key fields will be named differently in other rows.
question from:https://stackoverflow.com/questions/65892703/how-do-i-extend-this-regex-with-cef-data-with-these-two-keyvalue-pairs

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)

you should be able to use the parse operator: https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/parseoperator

for example:

print input = 'event=1921;json={"source":"A","location":B":"folder":"c:\windows\system32"},"id":2,"address":null,"name":"gone";'
| parse input with * "json=" json:dynamic ',"id"' * '"name":"' name '"' *

if your payload / property names are entirely dynamic, then:

a. I would recommend you evaluate your options to structure the source data in standard format (currently, even the "json" part of it isn't valid JSON)

b. you could try the following - functional, but very inefficient (not recommended for large scale data procesing)

datatable(input:string)
[
    'event=1921;json={"source":"A","location":B":"folder":"c:\windows\system32"},"id":2,"address":null,"name":"gone";',
    'dev=b;json={"dest":"123","home":AZ":"loc":"sys"},"ab":9,"home":null,"someKey":"someValue";'
]
| parse input with prefix ";json={" json:dynamic '},' suffix
| mv-apply x = extract_all(@'(w+)=(w+)', prefix) on (
    project p = pack(tostring(x[0]), x[1])
    | summarize b1 = make_bag(p)
)
| mv-apply y = extract_all(@'"(w+)":"?(w+)"?', suffix) on (
    project p = pack(tostring(y[0]), y[1])
    | summarize b2 = make_bag(p)
)
| project json = strcat("{", json, "}"), b = bag_merge(b1, b2)
| evaluate bag_unpack(b)

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...