Extract text from message

I’d like to have a Pipeline processor that pulls out the Antivirus Signature age and the Antispyware Signature age values from the following message.

I’ve tried looking through all the GROK documentation but can’t see anything that allows me to find and extract text from a message where the formatting is as below:

Endpoint Protection client health report (time in UTC):
 	Platform version: 4.18.2005.5
 	Engine version: 1.1.17100.2
 	Network Realtime Inspection engine version: 1.1.17100.2
 	Antivirus signature version: 1.317.1666.0
 	Antispyware signature version: 1.317.1666.0
 	Network Realtime Inspection signature version: 1.317.1666.0
 	RTP state: Enabled
 	OA state: Enabled
 	IOAV state: Enabled
 	BM state: Enabled
 	Antivirus signature age: 69
 	Antispyware signature age: 69
 	Last quick scan age: 0
 	Last full scan age: 4294967295
 	Antivirus signature creation time: 18/06/2020 16:23:49
 	Antispyware signature creation time: 18/06/2020 16:23:48
 	Last quick scan start time: 27/08/2020 02:54:01
 	Last quick scan end time: 27/08/2020 02:54:50
 	Last quick scan source: 2
 	Last full scan start time: 01/01/1601 00:00:00
 	Last full scan end time: 01/01/1601 00:00:00
 	Last full scan source: 0
 	Product status: 0x00080060

If you are only interested in that value you can use grok like regex. I am not really sure if this is the best way but it is possible.

Possible Grok-pattern quick and dirty:

.*?Antivirus signature age\:\ %{INT:antivirus_signature_age}

@xtruthx Thanks for that - how do you format that in a pipeline rule though? The grok function doesn’t have an example in the documentation and the Functions description in the rule editor just says grok(pattern, value).

If I try something like:

let ms = to_string($message.message);
let ava = grok(.*?Antivirus signature age\:\ %{INT:antivirus_signature_age}, ms);

I get a load of errors so I’m missing something, perhaps how to encapsulate the pattern?

You can find example of pipeline functions here:

For grok function check this:

So your correct line will be (It’s not necessary to escape : and space) and true in last parametes turns on only named captures:

  let ava = grok(".*?Antivirus signature age: %{INT:antivirus_signature_age}", ms, true);

@shoothub that’s really helpful thanks, it doesn’t quite return what I’m looking for though.

The result of the above line is:

{"antivirus_signature_age":"76"}

whereas I need it to be

76

I can’t figure out what needs to change, grok is new to me

You need to store it as field, so please add this line after line let ava:

    set_fields(ava);
1 Like

Thank you!

I was using set_field(“antivirus_signature_age”, ava);

I guess the grok result has the field name included.

The final answer was to use:

let ms = to_string($message.message);
let ava = grok(".*?Antivirus signature age: %{INT:antivirus_signature_age;int}", ms, true);
set_fields(ava);

Otherwise the set_fields command sets the INT as a String.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.