Skip to content

Commit 06c84ff

Browse files
UncoderIOUncoderIO
authored
Merge pull request #5 from UncoderIO/logsource-and-value-parsing-fixes
splunk fixes
2 parents c2ee977 + 50dd41b commit 06c84ff

File tree

2 files changed

+8
-4
lines changed

2 files changed

+8
-4
lines changed

siem-converter/app/converter/backends/splunk/parsers/splunk.py

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -45,8 +45,8 @@ def _parse_log_sources(self, query: str) -> Tuple[Dict[str, List[str]], str]:
4545
log_sources.setdefault(source_type, [])
4646
pattern = self.log_source_pattern.replace('___source_type___', source_type)
4747
while search := re.search(pattern, query, flags=re.IGNORECASE):
48-
results = search.groupdict()
49-
value = results.get("value")
48+
group_dict = search.groupdict()
49+
value = group_dict.get("d_q_value") or group_dict.get("value")
5050
log_sources.setdefault(source_type, []).append(value)
5151
pos_start = search.start()
5252
pos_end = search.end()

siem-converter/app/converter/backends/splunk/tokenizer.py

Lines changed: 6 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -29,8 +29,9 @@ class SplunkTokenizer(QueryTokenizer):
2929
num_value_pattern = r"(?P<num_value>\d+(?:\.\d+)*)\s*"
3030
double_quotes_value_pattern = r'"(?P<d_q_value>(?:[:a-zA-Z\*0-9=+%#\-_/,\'\.$&^@!\(\)\{\}\s]|\\\"|\\)*)"\s*'
3131
single_quotes_value_pattern = r"'(?P<s_q_value>(?:[:a-zA-Z\*0-9=+%#\-_/,\"\.$&^@!\(\)\{\}\s]|\\\'|\\)*)'\s*"
32-
_value_pattern = fr"{num_value_pattern}|{double_quotes_value_pattern}|{single_quotes_value_pattern}"
33-
multi_value_pattern = r"""\((?P<value>[:a-zA-Z\"\*0-9=+%#\-_\/\\'\,.&^@!\(\s]*)\)"""
32+
no_quotes_value = r"(?P<no_q_value>(?:[:a-zA-Z\*0-9=+%#\-_/,\.\\$&^@!])+)\s*"
33+
_value_pattern = fr"{num_value_pattern}|{no_quotes_value}|{double_quotes_value_pattern}|{single_quotes_value_pattern}"
34+
multi_value_pattern = r"""\((?P<value>[:a-zA-Z\"\*0-9=+%#\-_\/\\'\,.&^@!\(\s]+)\)"""
3435
keyword_pattern = double_quotes_value_pattern
3536

3637
multi_value_operators = ("in",)
@@ -40,6 +41,9 @@ def get_operator_and_value(self, match: re.Match, operator: str = OperatorType.E
4041
if num_value := get_match_group(match, group_name='num_value'):
4142
return operator, num_value
4243

44+
elif no_q_value := get_match_group(match, group_name='no_q_value'):
45+
return operator, no_q_value
46+
4347
elif d_q_value := get_match_group(match, group_name='d_q_value'):
4448
return operator, d_q_value
4549

0 commit comments

Comments
 (0)
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy