topic How can I extract multiple fields? in Getting Data In

How can I extract multiple fields?

jacknguyen — Wed, 05 Apr 2023 16:43:51 GMT

I have a log event and I want to extract like this:

I want to show it line the red line. How ever it just recive the first line in event. how to show all the blue line?

Thank you for your help.

Re: Extrac Fields

yeahnah — Wed, 05 Apr 2023 02:53:37 GMT

Hi @jacknguyen

It is easier to help if you copy and paste the whole event as text - place inside a preformatted style, or code sample </> helps too.

Screen shots like this, with big multi-line events make it far harder to help and get some SPL code working.

Re: Extrac Fields

jacknguyen — Wed, 05 Apr 2023 03:00:23 GMT

this is event:

</>TITLE,OpenVPN 2.4.11 x86_64-redhat-linux-gnu [Fedora EPEL patched] [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 21 2021 TIME,Wed Apr 5 08:58:23 2023,1680659903 HEADER,CLIENT_LIST,Common Name,Real Address,Virtual Address,Virtual IPv6 Address,Bytes Received,Bytes Sent,Connected Since,Connected Since (time_t),Username,Client ID,Peer ID CLIENT_LIST,jack_nguyen,116.100.47.155:1130,10.10.0.25,,2293690,17795968,Wed Apr 5 08:38:22 2023,1680658702,jack_nguyen,201,2 CLIENT_LIST,kane_vu,116.100.47.155:1135,10.10.0.35,,807236,269755,Wed Apr 5 08:50:46 2023,1680659446,kane_vu,202,3 CLIENT_LIST,wanki_trinh,116.100.47.155:1194,10.10.0.21,,891114,9413845,Wed Apr 5 08:34:28 2023,1680658468,wanki_trinh,200,1 CLIENT_LIST,torin_huynh,116.110.42.16:62901,10.10.0.32,,2798473,5631112,Wed Apr 5 08:26:47 2023,1680658007,torin_huynh,199,0 CLIENT_LIST,william_vo,116.100.47.155:1138,10.10.0.22,,621296,10725869,Wed Apr 5 08:55:22 2023,1680659722,william_vo,203,4 HEADER,ROUTING_TABLE,Virtual Address,Common Name,Real Address,Last Ref,Last Ref (time_t) ROUTING_TABLE,10.10.0.22,william_vo,116.100.47.155:1138,Wed Apr 5 08:58:22 2023,1680659902 ROUTING_TABLE,10.10.0.25,jack_nguyen,116.100.47.155:1130,Wed Apr 5 08:58:22 2023,1680659902 ROUTING_TABLE,10.10.0.21,wanki_trinh,116.100.47.155:1194,Wed Apr 5 08:58:17 2023,1680659897 ROUTING_TABLE,10.10.0.35,kane_vu,116.100.47.155:1135,Wed Apr 5 08:58:22 2023,1680659902 ROUTING_TABLE,10.10.0.32,torin_huynh,116.110.42.16:62901,Wed Apr 5 08:58:22 2023,1680659902 GLOBAL_STATS,Max bcast/mcast queue length,6 END<\>

Re: Extrac Fields

yeahnah — Wed, 05 Apr 2023 03:06:11 GMT

Sorry, I could have been clearer, the </> is an icon in the editor where you can add content so that the output does not get modified.

Please try adding again

Re: Extrac Fields

jacknguyen — Wed, 05 Apr 2023 03:08:25 GMT

TITLE,OpenVPN 2.4.11 x86_64-redhat-linux-gnu [Fedora EPEL patched] [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 21 2021 TIME,Tue Apr 4 15:57:03 2023,1680598623 HEADER,CLIENT_LIST,Common Name,Real Address,Virtual Address,Virtual IPv6 Address,Bytes Received,Bytes Sent,Connected Since,Connected Since (time_t),Username,Client ID,Peer ID CLIENT_LIST,louis_tran,116.100.47.155:1044,10.10.0.20,,13285791,65784195,Tue Apr 4 09:21:41 2023,1680574901,louis_tran,181,1 CLIENT_LIST,wanki_trinh,116.100.47.155:1194,10.10.0.21,,13753119,165936845,Tue Apr 4 09:15:02 2023,1680574502,wanki_trinh,180,0 CLIENT_LIST,william_nguyen,116.100.47.155:1107,10.10.0.46,,2458734,17228162,Tue Apr 4 13:53:19 2023,1680591199,william_nguyen,186,4 CLIENT_LIST,kane_vu,116.100.47.155:1106,10.10.0.35,,8842662,20247670,Tue Apr 4 13:44:11 2023,1680590651,kane_vu,185,3 CLIENT_LIST,peter_nguyen,116.100.47.155:1118,10.10.0.12,,14031959,28603186,Tue Apr 4 15:16:46 2023,1680596206,peter_nguyen,190,5 CLIENT_LIST,jack_nguyen,116.100.47.155:1049,10.10.0.25,,31338513,125792327,Tue Apr 4 09:32:59 2023,1680575579,jack_nguyen,182,2 HEADER,ROUTING_TABLE,Virtual Address,Common Name,Real Address,Last Ref,Last Ref (time_t) ROUTING_TABLE,10.10.0.25,jack_nguyen,116.100.47.155:1049,Tue Apr 4 15:57:01 2023,1680598621 ROUTING_TABLE,10.10.0.21,wanki_trinh,116.100.47.155:1194,Tue Apr 4 15:56:44 2023,1680598604 ROUTING_TABLE,10.10.0.35,kane_vu,116.100.47.155:1106,Tue Apr 4 15:57:02 2023,1680598622 ROUTING_TABLE,10.10.0.20,louis_tran,116.100.47.155:1044,Tue Apr 4 15:56:59 2023,1680598619 ROUTING_TABLE,10.10.0.46,william_nguyen,116.100.47.155:1107,Tue Apr 4 15:57:02 2023,1680598622 ROUTING_TABLE,10.10.0.12,peter_nguyen,116.100.47.155:1118,Tue Apr 4 15:57:01 2023,1680598621 GLOBAL_STATS,Max bcast/mcast queue length,6 END

oh sorry my fault. there is

Re: Extrac Fields

yeahnah — Wed, 05 Apr 2023 03:34:00 GMT

Thanks, that helps a lot.

It's an interesting data set, multi-line with different CSV headers in the one event.

The following is a method that should meet your use case

... your search ... | rex field=_raw "^(?:.+?[\n\r]){2}HEADER,(?<_raw>(.+[\n\r])+)HEADER" | multikv forceheader=1 | table Common_Name Virtual_Address Connected_Since

It pulls out (rex) the CSV section you're interested in and then uses the multikv command to extract the data as single line events.

You can rename the output fields if you like too.

Here's my run anywhere search I used to test the above.

| makeresults | eval event="TITLE,OpenVPN 2.4.11 x86_64-redhat-linux-gnu [Fedora EPEL patched] [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 21 2021 TIME,Tue Apr 4 15:57:03 2023,1680598623 HEADER,CLIENT_LIST,Common Name,Real Address,Virtual Address,Virtual IPv6 Address,Bytes Received,Bytes Sent,Connected Since,Connected Since (time_t),Username,Client ID,Peer ID CLIENT_LIST,louis_tran,116.100.47.155:1044,10.10.0.20,,13285791,65784195,Tue Apr 4 09:21:41 2023,1680574901,louis_tran,181,1 CLIENT_LIST,wanki_trinh,116.100.47.155:1194,10.10.0.21,,13753119,165936845,Tue Apr 4 09:15:02 2023,1680574502,wanki_trinh,180,0 CLIENT_LIST,william_nguyen,116.100.47.155:1107,10.10.0.46,,2458734,17228162,Tue Apr 4 13:53:19 2023,1680591199,william_nguyen,186,4 CLIENT_LIST,kane_vu,116.100.47.155:1106,10.10.0.35,,8842662,20247670,Tue Apr 4 13:44:11 2023,1680590651,kane_vu,185,3 CLIENT_LIST,peter_nguyen,116.100.47.155:1118,10.10.0.12,,14031959,28603186,Tue Apr 4 15:16:46 2023,1680596206,peter_nguyen,190,5 CLIENT_LIST,jack_nguyen,116.100.47.155:1049,10.10.0.25,,31338513,125792327,Tue Apr 4 09:32:59 2023,1680575579,jack_nguyen,182,2 HEADER,ROUTING_TABLE,Virtual Address,Common Name,Real Address,Last Ref,Last Ref (time_t) ROUTING_TABLE,10.10.0.25,jack_nguyen,116.100.47.155:1049,Tue Apr 4 15:57:01 2023,1680598621 ROUTING_TABLE,10.10.0.21,wanki_trinh,116.100.47.155:1194,Tue Apr 4 15:56:44 2023,1680598604 ROUTING_TABLE,10.10.0.35,kane_vu,116.100.47.155:1106,Tue Apr 4 15:57:02 2023,1680598622 ROUTING_TABLE,10.10.0.20,louis_tran,116.100.47.155:1044,Tue Apr 4 15:56:59 2023,1680598619 ROUTING_TABLE,10.10.0.46,william_nguyen,116.100.47.155:1107,Tue Apr 4 15:57:02 2023,1680598622 ROUTING_TABLE,10.10.0.12,peter_nguyen,116.100.47.155:1118,Tue Apr 4 15:57:01 2023,1680598621 GLOBAL_STATS,Max bcast/mcast queue length,6 END" ``` above just creates the dummy events ``` | rex field=event "^(?:.+?[\n\r]){2}HEADER,(?<_raw>(.+[\n\r])+)HEADER" | multikv forceheader=1 | table Common_Name Virtual_Address Connected_Since

Hope this helps

Re: Extrac Fields

jacknguyen — Tue, 11 Apr 2023 03:25:47 GMT

thank you for your help. its work