Highlighted
Trusted Contributor.
Trusted Contributor.
837 views

unable to retrieve token from log

Jump to solution

Hello everyone!

Recently i started configuring a smart-connector, and in the logs it parses (standard key-value fomat) there is this field: Dn=".CN=bob.O=novell.T=CEF." , for this i defined a token with the type String, yet somehow it fails to process it,  and everytime i'd like it to be displayed it returns only an empty field. Well, the only information i would need from this would be the CN "bob", but if i could only get the whole line that would do the job.

All helps are welcomed and appreciated.

Have  a nice day, Thomas

0 Likes
1 Solution

Accepted Solutions
Highlighted
Trusted Contributor.
Trusted Contributor.

well seems like i could fix the problem by getting the values with regex straight in the syslog subagent and now it works fine.

thanks for all the help and have a nice day

View solution in original post

0 Likes
10 Replies
Highlighted
Knowledge Partner
Knowledge Partner

Can you share the parser file (at least the first 4-5 rows indicating the delimiters, text qualifier, etc.)?

------------------------------------
Please use the Like button below, if you find this post useful or mark it as an accepted solution if it resolves your issue.
0 Likes
Highlighted
Trusted Contributor.
Trusted Contributor.

yes sure, it looks like this

 

key.delimiter=,
key.value.delimiter==
text.qualifier="
trim.message=true
trim.tokens=true
trim.keys=true

0 Likes
Highlighted
Knowledge Partner
Knowledge Partner

Since the value has "=", it causes parsing problem because key.value.delimiter is "=" too.

I'm not sure if it works but can you try using "key.value.delimiter=="" (delimiter is =") to see what happens?

------------------------------------
Please use the Like button below, if you find this post useful or mark it as an accepted solution if it resolves your issue.
Highlighted
Trusted Contributor.
Trusted Contributor.

i've tried and it doesnt work. shouldnt it parse everything between the " " as a string? i also thought it has a problem with the = sign, i just dont know why and how should i fix it.

0 Likes
Highlighted
Knowledge Partner
Knowledge Partner

There is a similar discussion on https://community.microfocus.com/t5/ArcSight-User-Discussions/How-to-configure-Key-Value-Parsers/td-p/1542016

Suggestion 1: edit the key.regexp parameter and try key.regexp=([^\s]+)="

Suggestion 2: If there aren't many tokens, create a regex parser for the log.

Can you provide a single raw log containing this issue?

------------------------------------
Please use the Like button below, if you find this post useful or mark it as an accepted solution if it resolves your issue.
0 Likes
Highlighted
Trusted Contributor.
Trusted Contributor.

yea here you go

 

vlogRecNo="47911", vigilRecNo="47911", Pid="3175", TimeStamp="2019-07-01 14:11:40.908141", Type="3 NSS", Event="65536 RENAME", TaskID="0", Zid="26A6A3", ParentZid="7F", OpRetCode="0", FileType="3 NAMED_DATA_STREAM", FileAttributes="0x40000000 { 30-ATTR_ARCHIVE}", VolID="F87C0955B423E9018000273FFAD21FCC", VolDn="VLOG_VOL", UserID="03000000000000000000000000000000", UserDn="Supervisor", Uid="0", Uid_Name="root", Euid="0", Euid_Name="root", Suid="0", Suid_Name="root", Fsuid="0", Fsuid_Name="root", Gid="0", Gid_Name="root", Egid="0", Egid_Name="root", Sgid="0", Sgid_Name="root", Fsgid="0", Fsgid_Name="root", Comm="ndsd", ConnID="27", TaskID="2", userID="674C0DFDD539C241AA34674C0DFDD539", Dn=".CN=bob.O=novell.T=CEF.", NetAddr_IPv4[123.456.78.90], source="[VLOG_VOL:/New Text Document.txt]", destination="[VLOG_VOL:/cxvbxcvb.txt]", RenameFlags="0x00000101 { 0-ALLOW_RENAMES_TO_MYSELF 8-KEEP_VFS_CACHE}", FileNameType="0"

0 Likes
Highlighted
Knowledge Partner
Knowledge Partner

Can you try the following? I tested in my lab and it parsed a sample log correctly.

key.delimiter=,\\s
key.value.delimiter==
key.regexp=([^\\s="]+)
text.qualifier="
trim.message=true
trim.tokens=true
trim.keys=true

 

------------------------------------
Please use the Like button below, if you find this post useful or mark it as an accepted solution if it resolves your issue.
Highlighted
Trusted Contributor.
Trusted Contributor.

sorry for the late answer, it still didnt manage to solve the problem

i was also wondering about that all the fields i make visible in arcsight is processed as string, and it's being forwarded and displayed like ' "somefield",  -> including the separation comma, if i set a token's type such as int/long it won't be shown. (attached screenshot)

i'm using the key-value parser as an extraprocessor, which gets the logs from a syslog subagent. (if im understanding it correctly, just started working recently with it), and even if i comment out the delimiter etc. lines in the extraprocessor i get the same results as before, like it doesnt even matter that those configs are there.

0 Likes
Highlighted
Trusted Contributor.
Trusted Contributor.

well seems like i could fix the problem by getting the values with regex straight in the syslog subagent and now it works fine.

thanks for all the help and have a nice day

View solution in original post

0 Likes
Highlighted
Respected Contributor.. Respected Contributor..
Respected Contributor..

Hello,

Can you try with these parameters?


key.delimiter=&&
key.value.delimiter==
key.regexp=([^&=]+)

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.