https://community.splunk.com/t5/Getting-Data-In/mv-extraction-in-props-conf/m-p/521431#M88106 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/213957">@richgalloway</a>&nbsp;, based on your reply I've had a stab at extracting the values from _raw via rex using the below (ignore the non-CIM-compliant names for now)...</P><P>| rex field=_raw "(\"filterType\":\"Connection hostname\"\,\"arguments\":\{\}\,\"comparatorType\":\"display\"\,\"trigger\":\{\"value\":\"(?&lt;conn_host&gt;[a-z0-9_\.-]+)\"\}\}\,\{\"cfid\"|\"filterType\":\"Message\"\,\"arguments\":\{\}\,\"comparatorType\":\"display\"\,\"trigger\":\{\"value\":\"(?&lt;msg&gt;[a-z0-9_\.-]+)\"\}\}\,\{\"cfid\"|\"filterType\":\"Internal source device name\"\,\"arguments\":\{\}\,\"comparatorType\":\"display\"\,\"trigger\":\{\"value\":\"(?&lt;src_new&gt;[a-z0-9_\.-]+)\"\}\}\,\{\"cfid\"|\"filterType\":\"Internal destination device name\"\,\"arguments\":\{\}\,\"comparatorType\":\"display\"\,\"trigger\":\{\"value\":\"(?&lt;dest_new&gt;[a-z0-9_\.-]+)\"\}\}\,\{\"cfid\"|\"filterType\":\"Destination IP\"\,\"arguments\":\{\}\,\"comparatorType\":\"display\"\,\"trigger\":\{\"value\":\"(?&lt;dest_ip&gt;(?:(?:\d{1,3}\.){3}(?:\d{1,3}))|(?:(?:::)?(?:[\dA-Fa-f]{1,4}:{1,2}){1,7}(?:[\d\%A-Fa-z\.]+)?(?:::)?)|(?:::[\dA-Fa-f\.]{1,15})|(?:::))|\"filterType\":\"Destination port\"\,\"arguments\":\{\}\,\"comparatorType\":\"display\"\,\"trigger\":\{\"value\":\"(?&lt;dest_port&gt;\d+))"</P><P>Unfortunately this is resulting in only one of the above fields being extracted for each event. I had hoped to avoid doing multiple individual rex's against _raw by putting each expression with a capture group (...|...|...). Am I missing some clever syntax here or is it just not possible?</P> Fri, 25 Sep 2020 10:56:40 GMT Dworsnop 2020-09-25T10:56:40Z https://community.splunk.com/t5/Getting-Data-In/mv-extraction-in-props-conf/m-p/521054#M88055 <P>I need to extract (at search time) a multivalue field in some JSON data in a manner that will allow me to perform additional, multiple regex's on the resulting field, all at search time. I can do this inline easily using:</P><P>| spath output=trigger_name path=triggeredComponents{}.triggeredFilters{}.filterType<BR />| spath output=trigger_value path=triggeredComponents{}.triggeredFilters{}.trigger.value<BR />| eval new_trig=mvzip(trigger_name,trigger_value,":")<BR />| mvexpand new_trig</P><P>| rex field=new_trig "^Internal destination device name:(?&lt;dest&gt;.*)$"<BR />| rex field=new_trig "^Destination IP:(?&lt;dest_ip&gt;(?:(?:\d{1,3}\.){3}(?:\d{1,3}))|(?:(?:::)?(?:[\dA-Fa-f]{1,4}:{1,2}){1,7}(?:[\d\%A-Fa-z\.]+)?(?:::)?)|(?:::[\dA-Fa-f\.]{1,15})|(?:::))$"</P><P>&nbsp;</P><P>Thanks in advance&nbsp;&nbsp;<span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P>Edit: I already have&nbsp;KV_MODE=JSON in my props.conf</P> Wed, 23 Sep 2020 12:56:26 GMT https://community.splunk.com/t5/Getting-Data-In/mv-extraction-in-props-conf/m-p/521054#M88055 Dworsnop 2020-09-23T12:56:26Z https://community.splunk.com/t5/Getting-Data-In/mv-extraction-in-props-conf/m-p/521087#M88061 <P>Please share some sample events.&nbsp; Also, tell us what's wrong with the existing search.</P> Wed, 23 Sep 2020 14:54:15 GMT https://community.splunk.com/t5/Getting-Data-In/mv-extraction-in-props-conf/m-p/521087#M88061 richgalloway 2020-09-23T14:54:15Z https://community.splunk.com/t5/Getting-Data-In/mv-extraction-in-props-conf/m-p/521226#M88076 <P>Thanks for replying&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/213957">@richgalloway</a>&nbsp;, the events come from an anomaly detection system and look like this (raw) - I've had to redact it quite heavily, hopefully it will still be of some use:&nbsp;</P><P><SPAN>{"</SPAN><SPAN class="t">creationTime</SPAN><SPAN>"</SPAN><SPAN class="t">:...</SPAN><SPAN>,"</SPAN><SPAN class="t">breachUrl</SPAN><SPAN>"</SPAN><SPAN class="t">:</SPAN><SPAN>"</SPAN><SPAN class="t">https://.../.../...</SPAN><SPAN>","</SPAN><SPAN class="t">commentCount</SPAN><SPAN>"</SPAN><SPAN class="t">:0</SPAN><SPAN>,"</SPAN><SPAN class="t">pbid</SPAN><SPAN>"</SPAN><SPAN class="t">:1315000</SPAN><SPAN>,"</SPAN><SPAN class="t">time</SPAN><SPAN>"</SPAN><SPAN class="t">:...</SPAN><SPAN>,"</SPAN><SPAN class="t">model</SPAN><SPAN>"</SPAN><SPAN class="t">:</SPAN><SPAN>{"</SPAN><SPAN class="t">name</SPAN><SPAN>"</SPAN><SPAN class="t">:</SPAN><SPAN>"</SPAN><SPAN class="t">Compromise::Watched</SPAN> <SPAN class="t">Domain</SPAN><SPAN>","</SPAN><SPAN class="t">pid</SPAN><SPAN>"</SPAN><SPAN class="t">:11</SPAN><SPAN>,"</SPAN><SPAN class="t">phid</SPAN><SPAN>"</SPAN><SPAN class="t">:8116</SPAN><SPAN>,"</SPAN><SPAN class="t">uuid</SPAN><SPAN>"</SPAN><SPAN class="t">:</SPAN><SPAN>"...</SPAN><SPAN>","</SPAN><SPAN class="t">logic</SPAN><SPAN>"</SPAN><SPAN class="t">:</SPAN><SPAN>{"</SPAN><SPAN class="t">data</SPAN><SPAN>"</SPAN><SPAN class="t">:</SPAN><SPAN>[{"</SPAN><SPAN class="t">cid</SPAN><SPAN>"</SPAN><SPAN class="t">:14400</SPAN><SPAN>,"</SPAN><SPAN class="t">weight</SPAN><SPAN>"</SPAN><SPAN class="t">:1</SPAN><SPAN>},{"</SPAN><SPAN class="t">cid</SPAN><SPAN>"</SPAN><SPAN class="t">:14401</SPAN><SPAN>,"</SPAN><SPAN class="t">weight</SPAN><SPAN>"</SPAN><SPAN class="t">:1</SPAN><SPAN>},{"</SPAN><SPAN class="t">cid</SPAN><SPAN>"</SPAN><SPAN class="t">:14402</SPAN><SPAN>,"</SPAN><SPAN class="t">weight</SPAN><SPAN>"</SPAN><SPAN class="t">:1</SPAN><SPAN>},{"</SPAN><SPAN class="t">cid</SPAN><SPAN>"</SPAN><SPAN class="t">:14403</SPAN><SPAN>,"</SPAN><SPAN class="t">weight</SPAN><SPAN>"</SPAN><SPAN class="t">:1</SPAN><SPAN>}],"</SPAN><SPAN class="t">targetScore</SPAN><SPAN>"</SPAN><SPAN class="t">:1</SPAN><SPAN>,"</SPAN><SPAN class="t">type</SPAN><SPAN>"</SPAN><SPAN class="t">:</SPAN><SPAN>"</SPAN><SPAN class="t">weightedComponentList</SPAN><SPAN>","</SPAN><SPAN class="t">version</SPAN><SPAN>"</SPAN><SPAN class="t">:1</SPAN><SPAN>},"</SPAN><SPAN class="t">throttle</SPAN><SPAN>"</SPAN><SPAN class="t">:3600</SPAN><SPAN>,"</SPAN><SPAN class="t">sharedEndpoints</SPAN><SPAN>"</SPAN><SPAN class="t">:false</SPAN><SPAN>,"</SPAN><SPAN class="t">actions</SPAN><SPAN>"</SPAN><SPAN class="t">:</SPAN><SPAN>{"</SPAN><SPAN class="t">alert</SPAN><SPAN>"</SPAN><SPAN class="t">:true</SPAN><SPAN>,"</SPAN><SPAN class="t">...</SPAN><SPAN>"</SPAN><SPAN class="t">:</SPAN><SPAN>{},"</SPAN><SPAN class="t">breach</SPAN><SPAN>"</SPAN><SPAN class="t">:true</SPAN><SPAN>,"</SPAN><SPAN class="t">model</SPAN><SPAN>"</SPAN><SPAN class="t">:true</SPAN><SPAN>,"</SPAN><SPAN class="t">setPriority</SPAN><SPAN>"</SPAN><SPAN class="t">:false</SPAN><SPAN>,"</SPAN><SPAN class="t">setTag</SPAN><SPAN>"</SPAN><SPAN class="t">:false</SPAN><SPAN>,"</SPAN><SPAN class="t">setType</SPAN><SPAN>"</SPAN><SPAN class="t">:false</SPAN><SPAN>},"</SPAN><SPAN class="t">tags</SPAN><SPAN>"</SPAN><SPAN class="t">:</SPAN><SPAN>["...</SPAN><SPAN>"],"</SPAN><SPAN class="t">interval</SPAN><SPAN>"</SPAN><SPAN class="t">:3600</SPAN><SPAN>,"</SPAN><SPAN class="t">sequenced</SPAN><SPAN>"</SPAN><SPAN class="t">:false</SPAN><SPAN>,"</SPAN><SPAN class="t">active</SPAN><SPAN>"</SPAN><SPAN class="t">:true</SPAN><SPAN>,"</SPAN><SPAN class="t">modified</SPAN><SPAN>"</SPAN><SPAN class="t">:</SPAN><SPAN>"...</SPAN><SPAN>","</SPAN><SPAN class="t">activeTimes</SPAN><SPAN>"</SPAN><SPAN class="t">:</SPAN><SPAN>{"</SPAN><SPAN class="t">devices</SPAN><SPAN>"</SPAN><SPAN class="t">:</SPAN><SPAN>{"</SPAN><SPAN class="t">93657</SPAN><SPAN>"</SPAN><SPAN class="t">:</SPAN><SPAN>[{}],"</SPAN><SPAN class="t">2830</SPAN><SPAN>"</SPAN><SPAN class="t">:</SPAN><SPAN>[{}],"</SPAN><SPAN class="t">636</SPAN><SPAN>"</SPAN><SPAN class="t">:</SPAN><SPAN>[{}],"</SPAN><SPAN class="t">2957</SPAN><SPAN>"</SPAN><SPAN class="t">:</SPAN><SPAN>[{}],"</SPAN><SPAN class="t">52344</SPAN><SPAN>"</SPAN><SPAN class="t">:</SPAN><SPAN>[{}],"</SPAN><SPAN class="t">4329</SPAN><SPAN>"</SPAN><SPAN class="t">:</SPAN><SPAN>[{}],"</SPAN><SPAN class="t">913</SPAN><SPAN>"</SPAN><SPAN class="t">:</SPAN><SPAN>[{}],"</SPAN><SPAN class="t">44</SPAN><SPAN>"</SPAN><SPAN class="t">:</SPAN><SPAN>[{}]},"</SPAN><SPAN class="t">tags</SPAN><SPAN>"</SPAN><SPAN class="t">:</SPAN><SPAN>{},"</SPAN><SPAN class="t">type</SPAN><SPAN>"</SPAN><SPAN class="t">:</SPAN><SPAN>"</SPAN><SPAN class="t">exclusions</SPAN><SPAN>","</SPAN><SPAN class="t">version</SPAN><SPAN>"</SPAN><SPAN class="t">:2</SPAN><SPAN>},"</SPAN><SPAN class="t">priority</SPAN><SPAN>"</SPAN><SPAN class="t">:5</SPAN><SPAN>,"</SPAN><SPAN class="t">autoUpdatable</SPAN><SPAN>"</SPAN><SPAN class="t">:true</SPAN><SPAN>,"</SPAN><SPAN class="t">autoUpdate</SPAN><SPAN>"</SPAN><SPAN class="t">:true</SPAN><SPAN>,"</SPAN><SPAN class="t">autoSuppress</SPAN><SPAN>"</SPAN><SPAN class="t">:true</SPAN><SPAN>,"</SPAN><SPAN class="t">description</SPAN><SPAN>"</SPAN><SPAN class="t">:</SPAN><SPAN>"...</SPAN><SPAN>","</SPAN><SPAN class="t">behaviour</SPAN><SPAN>"</SPAN><SPAN class="t">:</SPAN><SPAN>"</SPAN><SPAN class="t">decreasing</SPAN><SPAN>","</SPAN><SPAN class="t">defeats</SPAN><SPAN>"</SPAN><SPAN class="t">:</SPAN><SPAN>[],"</SPAN><SPAN class="t">created</SPAN><SPAN>"</SPAN><SPAN class="t">:</SPAN><SPAN>{"</SPAN><SPAN class="t">by</SPAN><SPAN>"</SPAN><SPAN class="t">:</SPAN><SPAN>"</SPAN><SPAN class="t">...</SPAN><SPAN>"},"</SPAN><SPAN class="t">edited</SPAN><SPAN>"</SPAN><SPAN class="t">:</SPAN><SPAN>{"</SPAN><SPAN class="t">by</SPAN><SPAN>"</SPAN><SPAN class="t">:</SPAN><SPAN>"</SPAN><SPAN class="t">...</SPAN><SPAN>","</SPAN><SPAN class="t">userID</SPAN><SPAN>".</SPAN><SPAN class="t">..</SPAN><SPAN>},"</SPAN><SPAN class="t">version</SPAN><SPAN>"</SPAN><SPAN class="t">:24</SPAN><SPAN>},"</SPAN><SPAN class="t">triggeredComponents</SPAN><SPAN>"</SPAN><SPAN class="t">:</SPAN><SPAN>[{"</SPAN><SPAN class="t">time</SPAN><SPAN>"</SPAN><SPAN class="t">:...</SPAN><SPAN>,"</SPAN><SPAN class="t">cbid</SPAN><SPAN>"</SPAN><SPAN class="t">:...</SPAN><SPAN>,"</SPAN><SPAN class="t">cid</SPAN><SPAN>"</SPAN><SPAN class="t">:14400</SPAN><SPAN>,"</SPAN><SPAN class="t">chid</SPAN><SPAN>"</SPAN><SPAN class="t">:25028</SPAN><SPAN>,"</SPAN><SPAN class="t">size</SPAN><SPAN>"</SPAN><SPAN class="t">:1</SPAN><SPAN>,"</SPAN><SPAN class="t">threshold</SPAN><SPAN>"</SPAN><SPAN class="t">:0</SPAN><SPAN>,"</SPAN><SPAN class="t">interval</SPAN><SPAN>"</SPAN><SPAN class="t">:3600</SPAN><SPAN>,"</SPAN><SPAN class="t">logic</SPAN><SPAN>"</SPAN><SPAN class="t">:</SPAN><SPAN>{...</SPAN><SPAN>}}}}},"</SPAN><SPAN class="t">version</SPAN><SPAN>"</SPAN><SPAN class="t">:</SPAN><SPAN>"</SPAN><SPAN class="t">v...</SPAN><SPAN>"},"</SPAN><SPAN class="t">metric</SPAN><SPAN>"</SPAN><SPAN class="t">:</SPAN><SPAN>{"</SPAN><SPAN class="t">mlid</SPAN><SPAN>"</SPAN><SPAN class="t">:220</SPAN><SPAN>,"</SPAN><SPAN class="t">name</SPAN><SPAN>"</SPAN><SPAN class="t">:</SPAN><SPAN>"</SPAN><SPAN class="t">...</SPAN><SPAN>","</SPAN><SPAN class="t">label</SPAN><SPAN>"</SPAN><SPAN class="t">:</SPAN><SPAN>"</SPAN><SPAN class="t">Watched</SPAN> <SPAN class="t">Domain</SPAN><SPAN>"},"</SPAN><SPAN class="t">triggeredFilters</SPAN><SPAN>"</SPAN><SPAN class="t">:</SPAN><SPAN>[{"</SPAN><SPAN class="t">cfid</SPAN><SPAN>"</SPAN><SPAN class="t">:111671</SPAN><SPAN>,"</SPAN><SPAN class="t">id</SPAN><SPAN>"</SPAN><SPAN class="t">:</SPAN><SPAN>"</SPAN><SPAN class="t">A</SPAN><SPAN>","</SPAN><SPAN class="t">filterType</SPAN><SPAN>"</SPAN><SPAN class="t">:</SPAN><SPAN>"</SPAN><SPAN class="t">Watched</SPAN> <SPAN class="t">endpoint</SPAN> <SPAN class="t">source</SPAN><SPAN>","</SPAN><SPAN class="t">arguments</SPAN><SPAN>"</SPAN><SPAN class="t">:</SPAN><SPAN>{"</SPAN><SPAN class="t">value</SPAN><SPAN>"</SPAN><SPAN class="t">:</SPAN><SPAN>"</SPAN><SPAN class="t">.</SPAN><SPAN>+"},"</SPAN><SPAN class="t">comparatorType</SPAN><SPAN>"</SPAN><SPAN class="t">:</SPAN><SPAN>"</SPAN><SPAN class="t">does</SPAN> <SPAN class="t">not</SPAN> <SPAN class="t">match</SPAN> <SPAN class="t">regular</SPAN> <SPAN class="t">expression</SPAN><SPAN>","</SPAN><SPAN class="t">trigger</SPAN><SPAN>"</SPAN><SPAN class="t">:</SPAN><SPAN>{"</SPAN><SPAN class="t">value</SPAN><SPAN>"</SPAN><SPAN class="t">:</SPAN><SPAN>""}},{"</SPAN><SPAN class="t">cfid</SPAN><SPAN>"</SPAN><SPAN class="t">:111673</SPAN><SPAN>,"</SPAN><SPAN class="t">id</SPAN><SPAN>"</SPAN><SPAN class="t">:</SPAN><SPAN>"</SPAN><SPAN class="t">C</SPAN><SPAN>","</SPAN><SPAN class="t">filterType</SPAN><SPAN>"</SPAN><SPAN class="t">:</SPAN><SPAN>"</SPAN><SPAN class="t">Direction</SPAN><SPAN>","</SPAN><SPAN class="t">arguments</SPAN><SPAN>"</SPAN><SPAN class="t">:</SPAN><SPAN>{"</SPAN><SPAN class="t">value</SPAN><SPAN>"</SPAN><SPAN class="t">:</SPAN><SPAN>"</SPAN><SPAN class="t">out</SPAN><SPAN>"},"</SPAN><SPAN class="t">comparatorType</SPAN><SPAN>"</SPAN><SPAN class="t">:</SPAN><SPAN>"</SPAN><SPAN class="t">is</SPAN><SPAN>","</SPAN><SPAN class="t">trigger</SPAN><SPAN>"</SPAN><SPAN class="t">:</SPAN><SPAN>{"</SPAN><SPAN class="t">value</SPAN><SPAN>"</SPAN><SPAN class="t">:</SPAN><SPAN>"</SPAN><SPAN class="t">out</SPAN><SPAN>"}},{"</SPAN><SPAN class="t">cfid</SPAN><SPAN>"</SPAN><SPAN class="t">:111675</SPAN><SPAN>,"</SPAN><SPAN class="t">id</SPAN><SPAN>"</SPAN><SPAN class="t">:</SPAN><SPAN>"</SPAN><SPAN class="t">E</SPAN><SPAN>","</SPAN><SPAN class="t">filterType</SPAN><SPAN>"</SPAN><SPAN class="t">:</SPAN><SPAN>"</SPAN><SPAN class="t">Internal</SPAN> <SPAN class="t">source</SPAN> <SPAN class="t">device</SPAN> <SPAN class="t">type</SPAN><SPAN>","</SPAN><SPAN class="t">arguments</SPAN><SPAN>"</SPAN><SPAN class="t">:</SPAN><SPAN>{"</SPAN><SPAN class="t">value</SPAN><SPAN>"</SPAN><SPAN class="t">:</SPAN><SPAN>"</SPAN><SPAN class="t">12</SPAN><SPAN>"},"</SPAN><SPAN class="t">comparatorType</SPAN><SPAN>"</SPAN><SPAN class="t">:</SPAN><SPAN>"</SPAN><SPAN class="t">is</SPAN> <SPAN class="t">not</SPAN><SPAN>","</SPAN><SPAN class="t">trigger</SPAN><SPAN>"</SPAN><SPAN class="t">:</SPAN><SPAN>{"</SPAN><SPAN class="t">value</SPAN><SPAN>"</SPAN><SPAN class="t">:</SPAN><SPAN>"</SPAN><SPAN class="t">Server</SPAN><SPAN>"}},{"</SPAN><SPAN class="t">cfid</SPAN><SPAN>"</SPAN><SPAN class="t">:111676</SPAN><SPAN>,"</SPAN><SPAN class="t">id</SPAN><SPAN>"</SPAN><SPAN class="t">:</SPAN><SPAN>"</SPAN><SPAN class="t">d1</SPAN><SPAN>","</SPAN><SPAN class="t">filterType</SPAN><SPAN>"</SPAN><SPAN class="t">:</SPAN><SPAN>"</SPAN><SPAN class="t">Internal</SPAN> <SPAN class="t">source</SPAN> <SPAN class="t">device</SPAN> <SPAN class="t">type</SPAN><SPAN>","</SPAN><SPAN class="t">arguments</SPAN><SPAN>"</SPAN><SPAN class="t">:</SPAN><SPAN>{},"</SPAN><SPAN class="t">comparatorType</SPAN><SPAN>"</SPAN><SPAN class="t">:</SPAN><SPAN>"</SPAN><SPAN class="t">display</SPAN><SPAN>","</SPAN><SPAN class="t">trigger</SPAN><SPAN>"</SPAN><SPAN class="t">:</SPAN><SPAN>{"</SPAN><SPAN class="t">value</SPAN><SPAN>"</SPAN><SPAN class="t">:</SPAN><SPAN>"</SPAN><SPAN class="t">Server</SPAN><SPAN>"}},{"</SPAN><SPAN class="t">cfid</SPAN><SPAN>"</SPAN><SPAN class="t">:111677</SPAN><SPAN>,"</SPAN><SPAN class="t">id</SPAN><SPAN>"</SPAN><SPAN class="t">:</SPAN><SPAN>"</SPAN><SPAN class="t">d2</SPAN><SPAN>","</SPAN><SPAN class="t">filterType</SPAN><SPAN>"</SPAN><SPAN class="t">:</SPAN><SPAN>"</SPAN><SPAN class="t">Connection</SPAN> <SPAN class="t">hostname</SPAN><SPAN>","</SPAN><SPAN class="t">arguments</SPAN><SPAN>"</SPAN><SPAN class="t">:</SPAN><SPAN>{},"</SPAN><SPAN class="t">comparatorType</SPAN><SPAN>"</SPAN><SPAN class="t">:</SPAN><SPAN>"</SPAN><SPAN class="t">display</SPAN><SPAN>","</SPAN><SPAN class="t">trigger</SPAN><SPAN>"</SPAN><SPAN class="t">:</SPAN><SPAN>{"</SPAN><SPAN class="t">value</SPAN><SPAN>"</SPAN><SPAN class="t">:</SPAN><SPAN>""}},{"</SPAN><SPAN class="t">cfid</SPAN><SPAN>"</SPAN><SPAN class="t">:111678</SPAN><SPAN>,"</SPAN><SPAN class="t">id</SPAN><SPAN>"</SPAN><SPAN class="t">:</SPAN><SPAN>"</SPAN><SPAN class="t">d3</SPAN><SPAN>","</SPAN><SPAN class="t">filterType</SPAN><SPAN>"</SPAN><SPAN class="t">:</SPAN><SPAN>"</SPAN><SPAN class="t">Destination</SPAN> <SPAN class="t">IP</SPAN><SPAN>","</SPAN><SPAN class="t h">arguments</SPAN><SPAN>"</SPAN><SPAN class="t">:</SPAN><SPAN>{},"</SPAN><SPAN class="t">comparatorType</SPAN><SPAN>"</SPAN><SPAN class="t">:</SPAN><SPAN>"</SPAN><SPAN class="t">display</SPAN><SPAN>","</SPAN><SPAN class="t">trigger</SPAN><SPAN>"</SPAN><SPAN class="t">:</SPAN><SPAN>{"</SPAN><SPAN class="t">value</SPAN><SPAN>"</SPAN><SPAN class="t">:</SPAN><SPAN>"1.2.3.4</SPAN><SPAN>"}},{"</SPAN><SPAN class="t">cfid</SPAN><SPAN>"</SPAN><SPAN class="t">:111679</SPAN><SPAN>,"</SPAN><SPAN class="t">id</SPAN><SPAN>"</SPAN><SPAN class="t">:</SPAN><SPAN>"</SPAN><SPAN class="t">d4</SPAN><SPAN>","</SPAN><SPAN class="t">filterType</SPAN><SPAN>"</SPAN><SPAN class="t">:</SPAN><SPAN>"</SPAN><SPAN class="t">ASN</SPAN><SPAN>","</SPAN><SPAN class="t">arguments</SPAN><SPAN>"</SPAN><SPAN class="t">:</SPAN><SPAN>{},"</SPAN><SPAN class="t">comparatorType</SPAN><SPAN>"</SPAN><SPAN class="t">:</SPAN><SPAN>"</SPAN><SPAN class="t">display</SPAN><SPAN>","</SPAN><SPAN class="t">trigger</SPAN><SPAN>"</SPAN><SPAN class="t">:</SPAN><SPAN>{"</SPAN><SPAN class="t">value</SPAN><SPAN>"</SPAN><SPAN class="t">:</SPAN><SPAN>""}},{"</SPAN><SPAN class="t">cfid</SPAN><SPAN>"</SPAN><SPAN class="t">:111680</SPAN><SPAN>,"</SPAN><SPAN class="t">id</SPAN><SPAN>"</SPAN><SPAN class="t">:</SPAN><SPAN>"</SPAN><SPAN class="t">d5</SPAN><SPAN>","</SPAN><SPAN class="t">filterType</SPAN><SPAN>"</SPAN><SPAN class="t">:</SPAN><SPAN>"</SPAN><SPAN class="t">Country</SPAN><SPAN>","</SPAN><SPAN class="t">arguments</SPAN><SPAN>"</SPAN><SPAN class="t">:</SPAN><SPAN>{},"</SPAN><SPAN class="t">comparatorType</SPAN><SPAN>"</SPAN><SPAN class="t">:</SPAN><SPAN>"</SPAN><SPAN class="t">display</SPAN><SPAN>","</SPAN><SPAN class="t">trigger</SPAN><SPAN>"</SPAN><SPAN class="t">:</SPAN><SPAN>{"</SPAN><SPAN class="t">value</SPAN><SPAN>"</SPAN><SPAN class="t">:</SPAN><SPAN>""}},{"</SPAN><SPAN class="t">cfid</SPAN><SPAN>"</SPAN><SPAN class="t">:111681</SPAN><SPAN>,"</SPAN><SPAN class="t">id</SPAN><SPAN>"</SPAN><SPAN class="t">:</SPAN><SPAN>"</SPAN><SPAN class="t">d6</SPAN><SPAN>","</SPAN><SPAN class="t">filterType</SPAN><SPAN>"</SPAN><SPAN class="t">:</SPAN><SPAN>"</SPAN><SPAN class="t">Message</SPAN><SPAN>","</SPAN><SPAN class="t">arguments</SPAN><SPAN>"</SPAN><SPAN class="t">:</SPAN><SPAN>{},"</SPAN><SPAN class="t">comparatorType</SPAN><SPAN>"</SPAN><SPAN class="t">:</SPAN><SPAN>"</SPAN><SPAN class="t">display</SPAN><SPAN>","</SPAN><SPAN class="t">trigger</SPAN><SPAN>"</SPAN><SPAN class="t">:</SPAN><SPAN>{"</SPAN><SPAN class="t">value</SPAN><SPAN>"</SPAN><SPAN class="t">:</SPAN><SPAN>"</SPAN><SPAN class="t">politicweekend.com</SPAN><SPAN>"}},{"</SPAN><SPAN class="t">cfid</SPAN><SPAN>"</SPAN><SPAN class="t">:111682</SPAN><SPAN>,"</SPAN><SPAN class="t">id</SPAN><SPAN>"</SPAN><SPAN class="t">:</SPAN><SPAN>"</SPAN><SPAN class="t">d7</SPAN><SPAN>","</SPAN><SPAN class="t">filterType</SPAN><SPAN>"</SPAN><SPAN class="t">:</SPAN><SPAN>"</SPAN><SPAN class="t">Watched</SPAN> <SPAN class="t">endpoint</SPAN><SPAN>","</SPAN><SPAN class="t">arguments</SPAN><SPAN>"</SPAN><SPAN class="t">:</SPAN><SPAN>{},"</SPAN><SPAN class="t">comparatorType</SPAN><SPAN>"</SPAN><SPAN class="t">:</SPAN><SPAN>"</SPAN><SPAN class="t">display</SPAN><SPAN>","</SPAN><SPAN class="t">trigger</SPAN><SPAN>"</SPAN><SPAN class="t">:</SPAN><SPAN>{"</SPAN><SPAN class="t">value</SPAN><SPAN>"</SPAN><SPAN class="t">:</SPAN><SPAN>"</SPAN><SPAN class="t">true</SPAN><SPAN>"}},{"</SPAN><SPAN class="t">cfid</SPAN><SPAN>"</SPAN><SPAN class="t">:111683</SPAN><SPAN>,"</SPAN><SPAN class="t">id</SPAN><SPAN>"</SPAN><SPAN class="t">:</SPAN><SPAN>"</SPAN><SPAN class="t">d8</SPAN><SPAN>","</SPAN><SPAN class="t">filterType</SPAN><SPAN>"</SPAN><SPAN class="t">:</SPAN><SPAN>"</SPAN><SPAN class="t">Watched</SPAN> <SPAN class="t">endpoint</SPAN> <SPAN class="t">source</SPAN><SPAN>","</SPAN><SPAN class="t">arguments</SPAN><SPAN>"</SPAN><SPAN class="t">:</SPAN><SPAN>{},"</SPAN><SPAN class="t">comparatorType</SPAN><SPAN>"</SPAN><SPAN class="t">:</SPAN><SPAN>"</SPAN><SPAN class="t">display</SPAN><SPAN>","</SPAN><SPAN class="t">trigger</SPAN><SPAN>"</SPAN><SPAN class="t">:</SPAN><SPAN>{"</SPAN><SPAN class="t">value</SPAN><SPAN>"</SPAN><SPAN class="t">:</SPAN><SPAN>""}}]}],"</SPAN><SPAN class="t">score</SPAN><SPAN>"</SPAN><SPAN class="t">:0.161</SPAN><SPAN>,"</SPAN><SPAN class="t">device</SPAN><SPAN>"</SPAN><SPAN class="t">:</SPAN><SPAN>{"</SPAN><SPAN class="t">did</SPAN><SPAN>"</SPAN><SPAN class="t">:74376</SPAN><SPAN>,"</SPAN><SPAN class="t">ip</SPAN><SPAN>"</SPAN><SPAN class="t">:</SPAN><SPAN>"5.6.7.8</SPAN><SPAN>","</SPAN><SPAN class="t">ips</SPAN><SPAN>"</SPAN><SPAN class="t">:</SPAN><SPAN>[{"</SPAN><SPAN class="t">ip</SPAN><SPAN>"</SPAN><SPAN class="t">:</SPAN><SPAN>"5.6.7.8</SPAN><SPAN>","</SPAN><SPAN class="t">timems</SPAN><SPAN>"</SPAN><SPAN class="t">:...</SPAN><SPAN>,"</SPAN><SPAN class="t">time</SPAN><SPAN>"</SPAN><SPAN class="t">:</SPAN><SPAN>"...</SPAN><SPAN>","</SPAN><SPAN class="t">sid</SPAN><SPAN>"</SPAN><SPAN class="t">:512731</SPAN><SPAN>}],"</SPAN><SPAN class="t">sid</SPAN><SPAN>"</SPAN><SPAN class="t">:512731</SPAN><SPAN>,"</SPAN><SPAN class="t">firstSeen</SPAN><SPAN>"</SPAN><SPAN class="t">:...</SPAN><SPAN>,"</SPAN><SPAN class="t">lastSeen</SPAN><SPAN>"</SPAN><SPAN class="t">:...</SPAN><SPAN>,"</SPAN><SPAN class="t">devicelabel</SPAN><SPAN>"</SPAN><SPAN class="t">:</SPAN><SPAN>"...</SPAN><SPAN>","</SPAN><SPAN class="t">typename</SPAN><SPAN>"</SPAN><SPAN class="t">:</SPAN><SPAN>"</SPAN><SPAN class="t">server</SPAN><SPAN>","</SPAN><SPAN class="t">typelabel</SPAN><SPAN>"</SPAN><SPAN class="t">:</SPAN><SPAN>"</SPAN><SPAN class="t">Server</SPAN><SPAN>"}}</SPAN></P><P>&nbsp;</P><P><SPAN>There's nothing wrong with my inline search. I'm trying to make the events CIM-compliant and fields like dest are contained in this new_trig mv field that I've spath'd and then regex'd out. So I want the CIM fields to be present in the index so things like the Intrusion Detection data model can be populated for use by Enterprise Security. Also, the regex's will differ according to the detection model that has been breached, i.e. the actual destination for an event might be called something different in 'trigger_name' according to the model being breached.</SPAN></P> Thu, 24 Sep 2020 08:28:53 GMT https://community.splunk.com/t5/Getting-Data-In/mv-extraction-in-props-conf/m-p/521226#M88076 Dworsnop 2020-09-24T08:28:53Z https://community.splunk.com/t5/Getting-Data-In/mv-extraction-in-props-conf/m-p/521273#M88086 <P>I think you have some competing requirements/desires.&nbsp; To get CIM compliance you just need to map the existing fields to the CIM equivalents.&nbsp; Do that with field aliases.&nbsp; Go to Settings-&gt;Fields-&gt;Field aliases to create them.&nbsp; Or have your rex commands extract field using the CIM-compliant name.&nbsp; To get the fields into an index, however, requires the extractions be done at index time or by a data model acceleration.</P> Thu, 24 Sep 2020 13:28:13 GMT https://community.splunk.com/t5/Getting-Data-In/mv-extraction-in-props-conf/m-p/521273#M88086 richgalloway 2020-09-24T13:28:13Z https://community.splunk.com/t5/Getting-Data-In/mv-extraction-in-props-conf/m-p/521431#M88106 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/213957">@richgalloway</a>&nbsp;, based on your reply I've had a stab at extracting the values from _raw via rex using the below (ignore the non-CIM-compliant names for now)...</P><P>| rex field=_raw "(\"filterType\":\"Connection hostname\"\,\"arguments\":\{\}\,\"comparatorType\":\"display\"\,\"trigger\":\{\"value\":\"(?&lt;conn_host&gt;[a-z0-9_\.-]+)\"\}\}\,\{\"cfid\"|\"filterType\":\"Message\"\,\"arguments\":\{\}\,\"comparatorType\":\"display\"\,\"trigger\":\{\"value\":\"(?&lt;msg&gt;[a-z0-9_\.-]+)\"\}\}\,\{\"cfid\"|\"filterType\":\"Internal source device name\"\,\"arguments\":\{\}\,\"comparatorType\":\"display\"\,\"trigger\":\{\"value\":\"(?&lt;src_new&gt;[a-z0-9_\.-]+)\"\}\}\,\{\"cfid\"|\"filterType\":\"Internal destination device name\"\,\"arguments\":\{\}\,\"comparatorType\":\"display\"\,\"trigger\":\{\"value\":\"(?&lt;dest_new&gt;[a-z0-9_\.-]+)\"\}\}\,\{\"cfid\"|\"filterType\":\"Destination IP\"\,\"arguments\":\{\}\,\"comparatorType\":\"display\"\,\"trigger\":\{\"value\":\"(?&lt;dest_ip&gt;(?:(?:\d{1,3}\.){3}(?:\d{1,3}))|(?:(?:::)?(?:[\dA-Fa-f]{1,4}:{1,2}){1,7}(?:[\d\%A-Fa-z\.]+)?(?:::)?)|(?:::[\dA-Fa-f\.]{1,15})|(?:::))|\"filterType\":\"Destination port\"\,\"arguments\":\{\}\,\"comparatorType\":\"display\"\,\"trigger\":\{\"value\":\"(?&lt;dest_port&gt;\d+))"</P><P>Unfortunately this is resulting in only one of the above fields being extracted for each event. I had hoped to avoid doing multiple individual rex's against _raw by putting each expression with a capture group (...|...|...). Am I missing some clever syntax here or is it just not possible?</P> Fri, 25 Sep 2020 10:56:40 GMT https://community.splunk.com/t5/Getting-Data-In/mv-extraction-in-props-conf/m-p/521431#M88106 Dworsnop 2020-09-25T10:56:40Z https://community.splunk.com/t5/Getting-Data-In/mv-extraction-in-props-conf/m-p/521446#M88107 <P>I usually recommend multiple <FONT face="courier new,courier">rex</FONT> commands over large, complex ones.&nbsp; It's practically a requirement if the fields aren't guaranteed to be in the same order every time.&nbsp; With a complex regex, it's too easy for a single character change to make the regex fail.</P> Fri, 25 Sep 2020 12:40:51 GMT https://community.splunk.com/t5/Getting-Data-In/mv-extraction-in-props-conf/m-p/521446#M88107 richgalloway 2020-09-25T12:40:51Z https://community.splunk.com/t5/Getting-Data-In/mv-extraction-in-props-conf/m-p/521448#M88108 <P>I think that's what I'll be doing. Thanks very much for the help <a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/213957">@richgalloway</a>&nbsp;.</P> Fri, 25 Sep 2020 12:43:18 GMT https://community.splunk.com/t5/Getting-Data-In/mv-extraction-in-props-conf/m-p/521448#M88108 Dworsnop 2020-09-25T12:43:18Z