Skip to content

Commit 50dd41b

Browse files
alexvolhaalexvolha
committed
splunk fixes
1 parent c2ee977 commit 50dd41b

File tree

2 files changed

+8
-4
lines changed

2 files changed

+8
-4
lines changed

siem-converter/app/converter/backends/splunk/parsers/splunk.py

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -45,8 +45,8 @@ def _parse_log_sources(self, query: str) -> Tuple[Dict[str, List[str]], str]:
4545
log_sources.setdefault(source_type, [])
4646
pattern = self.log_source_pattern.replace('___source_type___', source_type)
4747
while search := re.search(pattern, query, flags=re.IGNORECASE):
48-
results = search.groupdict()
49-
value = results.get("value")
48+
group_dict = search.groupdict()
49+
value = group_dict.get("d_q_value") or group_dict.get("value")
5050
log_sources.setdefault(source_type, []).append(value)
5151
pos_start = search.start()
5252
pos_end = search.end()

siem-converter/app/converter/backends/splunk/tokenizer.py

Lines changed: 6 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -29,8 +29,9 @@ class SplunkTokenizer(QueryTokenizer):
2929
num_value_pattern = r"(?P<num_value>\d+(?:\.\d+)*)\s*"
3030
double_quotes_value_pattern = r'"(?P<d_q_value>(?:[:a-zA-Z\*0-9=+%#\-_/,\'\.$&^@!\(\)\{\}\s]|\\\"|\\)*)"\s*'
3131
single_quotes_value_pattern = r"'(?P<s_q_value>(?:[:a-zA-Z\*0-9=+%#\-_/,\"\.$&^@!\(\)\{\}\s]|\\\'|\\)*)'\s*"
32-
_value_pattern = fr"{num_value_pattern}|{double_quotes_value_pattern}|{single_quotes_value_pattern}"
33-
multi_value_pattern = r"""\((?P<value>[:a-zA-Z\"\*0-9=+%#\-_\/\\'\,.&^@!\(\s]*)\)"""
32+
no_quotes_value = r"(?P<no_q_value>(?:[:a-zA-Z\*0-9=+%#\-_/,\.\\$&^@!])+)\s*"
33+
_value_pattern = fr"{num_value_pattern}|{no_quotes_value}|{double_quotes_value_pattern}|{single_quotes_value_pattern}"
34+
multi_value_pattern = r"""\((?P<value>[:a-zA-Z\"\*0-9=+%#\-_\/\\'\,.&^@!\(\s]+)\)"""
3435
keyword_pattern = double_quotes_value_pattern
3536

3637
multi_value_operators = ("in",)
@@ -40,6 +41,9 @@ def get_operator_and_value(self, match: re.Match, operator: str = OperatorType.E
4041
if num_value := get_match_group(match, group_name='num_value'):
4142
return operator, num_value
4243

44+
elif no_q_value := get_match_group(match, group_name='no_q_value'):
45+
return operator, no_q_value
46+
4347
elif d_q_value := get_match_group(match, group_name='d_q_value'):
4448
return operator, d_q_value
4549

0 commit comments

Comments
 (0)