topic Re: Regex for multiple lines of a field value in Getting Data In https://community.splunk.com/t5/Getting-Data-In/How-to-create-regex-for-multiple-lines-of-a-field-value/m-p/655612#M111074 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/259969">@RahulMisra</a>&nbsp;,</P><P>could you share a sample of your full logs, not only a part of them?</P><P>Ciao.</P><P>Giuseppe</P> Fri, 25 Aug 2023 09:41:28 GMT gcusello 2023-08-25T09:41:28Z How to create regex for multiple lines of a field value? https://community.splunk.com/t5/Getting-Data-In/How-to-create-regex-for-multiple-lines-of-a-field-value/m-p/655611#M111073 <P>I want to extract numeric values into seperate field</P> <P><SPAN>"</SPAN><SPAN class="">combinedrules</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN><SPAN> ["</SPAN><SPAN class="">3000039</SPAN><SPAN>", "</SPAN><SPAN class="">3000081</SPAN><SPAN>", "</SPAN><SPAN class="">958052</SPAN><SPAN>", "</SPAN><SPAN class="">973335</SPAN><SPAN>", "</SPAN><SPAN class=""><SPAN class="">XSS</SPAN>-<SPAN class="">ANOMALY</SPAN></SPAN><SPAN>"]</SPAN></P> <P>&nbsp;</P> <P><SPAN>Expected Output:</SPAN></P> <P><SPAN>Ruleid</SPAN></P> <P><SPAN>3000039</SPAN></P> <P><SPAN>3000081</SPAN></P> <P><SPAN><SPAN class="">958052</SPAN></SPAN></P> <P>&nbsp;</P> <P>Three<SPAN><SPAN class="">&nbsp;might be a case when there could be 2 rules Id in one event&nbsp;and i wan to see both gets displayed in a&nbsp; single line</SPAN></SPAN></P> Wed, 30 Aug 2023 16:09:17 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-create-regex-for-multiple-lines-of-a-field-value/m-p/655611#M111073 RahulMisra 2023-08-30T16:09:17Z Re: Regex for multiple lines of a field value https://community.splunk.com/t5/Getting-Data-In/How-to-create-regex-for-multiple-lines-of-a-field-value/m-p/655612#M111074 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/259969">@RahulMisra</a>&nbsp;,</P><P>could you share a sample of your full logs, not only a part of them?</P><P>Ciao.</P><P>Giuseppe</P> Fri, 25 Aug 2023 09:41:28 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-create-regex-for-multiple-lines-of-a-field-value/m-p/655612#M111074 gcusello 2023-08-25T09:41:28Z Re: Regex for multiple lines of a field value https://community.splunk.com/t5/Getting-Data-In/How-to-create-regex-for-multiple-lines-of-a-field-value/m-p/655613#M111075 <P><SPAN>{"</SPAN><SPAN class="">type</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN><SPAN> "testlog</SPAN><SPAN>", "</SPAN><SPAN class="">configId</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN><SPAN> "</SPAN><SPAN class="">22269</SPAN><SPAN>", "</SPAN><SPAN class="">policyId</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN><SPAN> "</SPAN><SPAN class="">FIST_52163</SPAN><SPAN>", "</SPAN><SPAN class="">anomali</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN><SPAN> "34.87.65.2</SPAN><SPAN>", "</SPAN><SPAN class="">combinedrules</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN><SPAN> ["</SPAN><SPAN class="">3000039</SPAN><SPAN>", "</SPAN><SPAN class="">3000081</SPAN><SPAN>", "</SPAN><SPAN class="">958052</SPAN><SPAN>", "</SPAN><SPAN class="">973335</SPAN><SPAN>", "</SPAN><SPAN class="">XSS-ANOMALY</SPAN><SPAN>"], "</SPAN><SPAN class="">ruleMessages</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN><SPAN> ["</SPAN><SPAN class="">Cross-site</SPAN> <SPAN class="">Scripting</SPAN><SPAN> (</SPAN><SPAN class="">XSS</SPAN><SPAN>) </SPAN><SPAN class="">Attack</SPAN><SPAN>", "</SPAN><SPAN class="">Cross-site</SPAN> <SPAN class="">Scripting</SPAN><SPAN> (</SPAN><SPAN class="">XSS</SPAN><SPAN>) </SPAN><SPAN class="">Attack</SPAN><SPAN>", "</SPAN><SPAN class="">Cross-site</SPAN> <SPAN class="">Scripting</SPAN><SPAN> (</SPAN><SPAN class="">XSS</SPAN><SPAN>) </SPAN><SPAN class="">Attack</SPAN><SPAN>", "</SPAN><SPAN class="">Cross-site</SPAN> <SPAN class="">Scripting</SPAN><SPAN> (</SPAN><SPAN class="">XSS</SPAN><SPAN>) </SPAN><SPAN class="">Attack</SPAN><SPAN>", "</SPAN><SPAN class="">Anomaly</SPAN> <SPAN class="">Score</SPAN> <SPAN class="">Exceeded</SPAN> <SPAN class="">for</SPAN> <SPAN class="">Cross-site</SPAN> <SPAN class="">Scripting</SPAN><SPAN> (</SPAN><SPAN class="">XSS</SPAN><SPAN>) </SPAN><SPAN class="">Attack</SPAN><SPAN>"], "</SPAN><SPAN class="">ruleTags</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN><SPAN> ["</SPAN><SPAN class="">ASE/WEB_ATTACK/XSS</SPAN><SPAN>", "</SPAN><SPAN class="">ASE/WEB_ATTACK/XSS</SPAN><SPAN>", "</SPAN><SPAN class="">ASE/WEB_ATTACK/XSS</SPAN><SPAN>", "</SPAN><SPAN class="">ASE/WEB_ATTACK/XSS</SPAN><SPAN>", "</SPAN><SPAN class="">ASE/WEB_ATTACK/XSS</SPAN><SPAN>"], "</SPAN><SPAN class="">ruleData</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN><SPAN> ["</SPAN><SPAN class="">document.domain</SPAN><SPAN>", ")</SPAN><SPAN class="">alert</SPAN><SPAN>(", "</SPAN><SPAN class="">alert</SPAN><SPAN>(", "')</SPAN><SPAN class="">alert</SPAN><SPAN>(</SPAN><SPAN class="">document.domain</SPAN><SPAN>)", "</SPAN><SPAN class="">Vector</SPAN> <SPAN class="">Score:</SPAN> <SPAN class="">17</SPAN><SPAN>, </SPAN><SPAN class="">Group</SPAN> <SPAN class="">Threshold:</SPAN> <SPAN class="">7</SPAN><SPAN>, </SPAN><SPAN class="">Triggered</SPAN> <SPAN class="">Rules:</SPAN> <SPAN class="">3000081-958052-3000039-973335</SPAN><SPAN>, </SPAN><SPAN class="">Triggered</SPAN> <SPAN class="">Scores:</SPAN> <SPAN class="">5-5-5-2</SPAN><SPAN>, </SPAN><SPAN class="">Triggered</SPAN> <SPAN class="">Selector:</SPAN> <SPAN class="">ARGS:errorCode</SPAN><SPAN>, </SPAN><SPAN class="">Mitigated</SPAN> <SPAN class="">Rules:</SPAN><SPAN> , </SPAN><SPAN class="">Last</SPAN> <SPAN class="">Matched</SPAN> <SPAN class="">Message:</SPAN><SPAN> "], "</SPAN><SPAN class="">ruleActions</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN><SPAN> ["</SPAN><SPAN class="">alert</SPAN><SPAN>", "</SPAN><SPAN class="">alert</SPAN><SPAN>", "</SPAN><SPAN class="">alert</SPAN><SPAN>", "</SPAN><SPAN class="">alert</SPAN><SPAN>", "</SPAN><SPAN class="">deny</SPAN><SPAN>"], "</SPAN><SPAN class="">requestId</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN><SPAN> "</SPAN><SPAN class="">2ed42ca7</SPAN><SPAN>", "</SPAN><SPAN class="">method</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN><SPAN> "</SPAN><SPAN class="">GET</SPAN><SPAN>", "</SPAN><SPAN class="">Host</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN><SPAN> "test.goodies.com</SPAN><SPAN>", "</SPAN><SPAN class="">path</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN><SPAN> "</SPAN><SPAN class="">/carbon/admin/login.jsp</SPAN><SPAN>", "</SPAN><SPAN class="">User-Agent</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN><SPAN> "</SPAN><SPAN class="">Mozilla/5.0</SPAN><SPAN> (</SPAN><SPAN class="">Windows</SPAN> <SPAN class="">NT</SPAN> <SPAN class="">5.1</SPAN><SPAN>) </SPAN><SPAN class="">AppleWebKit/537.36</SPAN><SPAN> (</SPAN><SPAN class="">KHTML</SPAN><SPAN>, </SPAN><SPAN class="">like</SPAN> <SPAN class="">Gecko</SPAN><SPAN>) </SPAN><SPAN class="">Chrome/34.0.1866.237</SPAN> <SPAN class="">Safari/537.36</SPAN><SPAN>", "</SPAN><SPAN class="">status</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN><SPAN> "</SPAN><SPAN class="">403</SPAN><SPAN>", "</SPAN><SPAN class="">Server</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN><SPAN> "</SPAN><SPAN class="">AkamaiGHost</SPAN><SPAN>", "</SPAN><SPAN class="">Date</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN><SPAN> "</SPAN><SPAN class="">Fri</SPAN><SPAN>, </SPAN><SPAN class="">25</SPAN> <SPAN class="">Aug</SPAN> <SPAN class="">2023</SPAN> <SPAN class="">09:10:04</SPAN> <SPAN class="">GMT</SPAN><SPAN>"}</SPAN></P> Fri, 25 Aug 2023 09:47:36 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-create-regex-for-multiple-lines-of-a-field-value/m-p/655613#M111075 RahulMisra 2023-08-25T09:47:36Z Re: Regex for multiple lines of a field value https://community.splunk.com/t5/Getting-Data-In/How-to-create-regex-for-multiple-lines-of-a-field-value/m-p/655675#M111088 <P>Something like this?</P><LI-CODE lang="markup">| rex field=_raw "combinedrules\: \[(?&lt;Rules&gt;(.*[^(\]\,)?]))" | rex field=Rules max_match=0 "(?&lt;RuleId&gt;(\d+))" | stats count by RuleId</LI-CODE> Fri, 25 Aug 2023 16:33:45 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-create-regex-for-multiple-lines-of-a-field-value/m-p/655675#M111088 Thulasinathan_M 2023-08-25T16:33:45Z Re: Regex for multiple lines of a field value https://community.splunk.com/t5/Getting-Data-In/How-to-create-regex-for-multiple-lines-of-a-field-value/m-p/655677#M111089 <P>It's not about a regex as such. It's about the whole props construction.</P><P>You have two options.</P><P>1. Use one transform to parse out the set of rules contained within brackets and then use another transform with SOURCE_KEY set to your extracted field and MV_ADD=true to further split it up into single values.</P><P>or</P><P>2. Parse out the whole set within brackets and then define TOKENIZER in fields.conf</P><P>The latter approach works with such lists while the first is a bit more generic.</P> Fri, 25 Aug 2023 16:50:13 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-create-regex-for-multiple-lines-of-a-field-value/m-p/655677#M111089 PickleRick 2023-08-25T16:50:13Z Re: Regex for multiple lines of a field value https://community.splunk.com/t5/Getting-Data-In/How-to-create-regex-for-multiple-lines-of-a-field-value/m-p/655929#M111125 <P>So, we can;t make a regex on search to fetch the fields values ?</P> Tue, 29 Aug 2023 08:45:03 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-create-regex-for-multiple-lines-of-a-field-value/m-p/655929#M111125 RahulMisra 2023-08-29T08:45:03Z