https://community.splunk.com/t5/Knowledge-Management/Fields-using-regular-expressions/m-p/695628#M10210 <P>I would like to automatically extract fields using props.conf.<BR />When there is a pattern like the one below, what I want to extract is each file name. attach_filename:[""] contains one or two file names.<BR />How can I extract all file names?</P><P>&nbsp;</P><LI-CODE lang="markup">"attach_filename":["image.png","GoT.S7E2.BOTS.BOTS.BOTS.mkv.torrent"] "attach_filename":["image.png","Office2016_Patcher_For_OSX.torrent"] "attach_filename":["image.png"] "attach_filename":["Saccharomyces_cerevisiae_patent.docx"]</LI-CODE><P>&nbsp;</P><P>field extract will be store file_name</P><P>&nbsp;</P><P>file_name : image.png,&nbsp;<BR />Saccharomyces_cerevisiae_patent.docx,&nbsp;<BR />GoT.S7E2.BOTS.BOTS.BOTS.mkv.torrent,&nbsp;Office2016_Patcher_For_OSX.torrent</P><P>&nbsp;</P> Thu, 08 Aug 2024 01:49:30 GMT silverKi 2024-08-08T01:49:30Z https://community.splunk.com/t5/Knowledge-Management/Fields-using-regular-expressions/m-p/695628#M10210 <P>I would like to automatically extract fields using props.conf.<BR />When there is a pattern like the one below, what I want to extract is each file name. attach_filename:[""] contains one or two file names.<BR />How can I extract all file names?</P><P>&nbsp;</P><LI-CODE lang="markup">"attach_filename":["image.png","GoT.S7E2.BOTS.BOTS.BOTS.mkv.torrent"] "attach_filename":["image.png","Office2016_Patcher_For_OSX.torrent"] "attach_filename":["image.png"] "attach_filename":["Saccharomyces_cerevisiae_patent.docx"]</LI-CODE><P>&nbsp;</P><P>field extract will be store file_name</P><P>&nbsp;</P><P>file_name : image.png,&nbsp;<BR />Saccharomyces_cerevisiae_patent.docx,&nbsp;<BR />GoT.S7E2.BOTS.BOTS.BOTS.mkv.torrent,&nbsp;Office2016_Patcher_For_OSX.torrent</P><P>&nbsp;</P> Thu, 08 Aug 2024 01:49:30 GMT https://community.splunk.com/t5/Knowledge-Management/Fields-using-regular-expressions/m-p/695628#M10210 silverKi 2024-08-08T01:49:30Z https://community.splunk.com/t5/Knowledge-Management/Fields-using-regular-expressions/m-p/695637#M10211 <P>My first reaction is: regex is the wrong solution. &nbsp;This looks like part of a JSON document. &nbsp;Treating structured data as text string is just calling for trouble down the road. &nbsp;Can you share raw events? (Anonymize as needed.)</P><P>Or, if this is a developer's joke, and you only have this string in a field, let's call it field1, you can still use Splunk's JSON capability to extract data. &nbsp;It's much more robust. &nbsp;Something like this:</P><P>&nbsp;</P><LI-CODE lang="markup">| eval field1 = "{" . field1 . "}" | spath input=field1</LI-CODE><P>&nbsp;</P><P>Your mock data will give</P><TABLE><TBODY><TR><TD><DIV class="">attach_filename{}</DIV></TD><TD>field1</TD></TR><TR><TD><DIV class="">image.png</DIV><DIV class="">GoT.S7E2.BOTS.BOTS.BOTS.mkv.torrent</DIV></TD><TD>{"attach_filename":["image.png","GoT.S7E2.BOTS.BOTS.BOTS.mkv.torrent"]}</TD></TR><TR><TD><DIV class="">image.png</DIV><DIV class="">Office2016_Patcher_For_OSX.torrent</DIV></TD><TD>{"attach_filename":["image.png","Office2016_Patcher_For_OSX.torrent"]}</TD></TR><TR><TD>image.png</TD><TD>{"attach_filename":["image.png"]}</TD></TR><TR><TD>Saccharomyces_cerevisiae_patent.docx</TD><TD>{"attach_filename":["Saccharomyces_cerevisiae_patent.docx"]}</TD></TR></TBODY></TABLE><P>Here is an emulation you can play with and compare with real data, if your developers really play such a joke.</P><P>&nbsp;</P><LI-CODE lang="markup">| makeresults | fields - _* | eval field1 = split("\"attach_filename\":[\"image.png\",\"GoT.S7E2.BOTS.BOTS.BOTS.mkv.torrent\"] \"attach_filename\":[\"image.png\",\"Office2016_Patcher_For_OSX.torrent\"] \"attach_filename\":[\"image.png\"] \"attach_filename\":[\"Saccharomyces_cerevisiae_patent.docx\"]", " ") | mvexpand field1 ``` data emulation ```</LI-CODE><P>&nbsp;</P> Thu, 08 Aug 2024 04:28:19 GMT https://community.splunk.com/t5/Knowledge-Management/Fields-using-regular-expressions/m-p/695637#M10211 yuanliu 2024-08-08T04:28:19Z https://community.splunk.com/t5/Knowledge-Management/Fields-using-regular-expressions/m-p/695639#M10212 <P>you're right. I am trying to extract fields from JSON-data.</P><P>I used botsv2 data, in "stream:smtp" sourcetype.<BR /><BR />This is my _raw data(I try to search index="botsv2" sourcetype="stream:smtp").<BR /><SPAN>The _raw data result.</SPAN></P><PRE><SPAN><BR />{"</SPAN><SPAN class="">endtime</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN><SPAN>"</SPAN><SPAN class="">2017-08-31T22:56:56.070751Z</SPAN><SPAN>","</SPAN><SPAN class="">timestamp</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN><SPAN>"</SPAN><SPAN class="">2017-08-31T22:56:56.070751Z</SPAN><SPAN>","</SPAN><SPAN class="">ack_packets_in</SPAN><SPAN>"</SPAN><SPAN class="">:0</SPAN><SPAN>,"</SPAN><SPAN class="">ack_packets_out</SPAN><SPAN>"</SPAN><SPAN class="">:0</SPAN><SPAN>,"</SPAN><SPAN class="">bytes</SPAN><SPAN>"</SPAN><SPAN class="">:72</SPAN><SPAN>,"</SPAN><SPAN class="">bytes_in</SPAN><SPAN>"</SPAN><SPAN class="">:0</SPAN><SPAN>,"</SPAN><SPAN class="">bytes_out</SPAN><SPAN>"</SPAN><SPAN class="">:72</SPAN><SPAN>,"</SPAN><SPAN class="">capture_hostname</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN><SPAN>"</SPAN><SPAN class="">matar</SPAN><SPAN>","</SPAN><SPAN class="">client_rtt</SPAN><SPAN>"</SPAN><SPAN class="">:0</SPAN><SPAN>,"</SPAN><SPAN class="">client_rtt_packets</SPAN><SPAN>"</SPAN><SPAN class="">:0</SPAN><SPAN>,"</SPAN><SPAN class="">client_rtt_sum</SPAN><SPAN>"</SPAN><SPAN class="">:0</SPAN><SPAN>,"</SPAN><SPAN class="">data_packets_in</SPAN><SPAN>"</SPAN><SPAN class="">:0</SPAN><SPAN>,"</SPAN><SPAN class="">data_packets_out</SPAN><SPAN>"</SPAN><SPAN class="">:1</SPAN><SPAN>,"</SPAN><SPAN class="">dest_ip</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN><SPAN>"</SPAN><SPAN class="">172.31.38.181</SPAN><SPAN>","</SPAN><SPAN class="">dest_mac</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN><SPAN>"</SPAN><SPAN class="">06:6A:51:FA:0A:B0</SPAN><SPAN>","</SPAN><SPAN class="">dest_port</SPAN><SPAN>"</SPAN><SPAN class="">:25</SPAN><SPAN>,"</SPAN><SPAN class="">duplicate_packets_in</SPAN><SPAN>"</SPAN><SPAN class="">:0</SPAN><SPAN>,"</SPAN><SPAN class="">duplicate_packets_out</SPAN><SPAN>"</SPAN><SPAN class="">:0</SPAN><SPAN>,"</SPAN><SPAN class="">flow_id</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN><SPAN>"</SPAN><SPAN class="">b6b9eb1b-e8e1-4cec-ab3c-f7223adc490a</SPAN><SPAN>","</SPAN><SPAN class="">greeting</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN><SPAN>"</SPAN><SPAN class="">ip-172-31-38-181.us-west-2.compute.internal</SPAN> <SPAN class="">ESMTP</SPAN> <SPAN class="">Postfix</SPAN><SPAN> (</SPAN><SPAN class="">Ubuntu</SPAN><SPAN>)","</SPAN><SPAN class="">missing_packets_in</SPAN><SPAN>"</SPAN><SPAN class="">:0</SPAN><SPAN>,"</SPAN><SPAN class="">missing_packets_out</SPAN><SPAN>"</SPAN><SPAN class="">:0</SPAN><SPAN>,"</SPAN><SPAN class="">network_interface</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN><SPAN>"</SPAN><SPAN class="">eth0</SPAN><SPAN>","</SPAN><SPAN class="">packets_in</SPAN><SPAN>"</SPAN><SPAN class="">:0</SPAN><SPAN>,"</SPAN><SPAN class="">packets_out</SPAN><SPAN>"</SPAN><SPAN class="">:1</SPAN><SPAN>,"</SPAN><SPAN class="">protocol_stack</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN><SPAN>"</SPAN><SPAN class="">ip:tcp:smtp</SPAN><SPAN>","</SPAN><SPAN class="">reply_time</SPAN><SPAN>"</SPAN><SPAN class="">:0</SPAN><SPAN>,"</SPAN><SPAN class="">request_ack_time</SPAN><SPAN>"</SPAN><SPAN class="">:0</SPAN><SPAN>,"</SPAN><SPAN class="">request_time</SPAN><SPAN>"</SPAN><SPAN class="">:0</SPAN><SPAN>,"</SPAN><SPAN class="">response_ack_time</SPAN><SPAN>"</SPAN><SPAN class="">:24624</SPAN><SPAN>,"</SPAN><SPAN class="">response_code</SPAN><SPAN>"</SPAN><SPAN class="">:220</SPAN><SPAN>,"</SPAN><SPAN class="">response_time</SPAN><SPAN>"</SPAN><SPAN class="">:0</SPAN><SPAN>,"</SPAN><SPAN class="">sender_server</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN><SPAN>"</SPAN><SPAN class="">ip-172-31-38-181.us-west-2.compute.internal</SPAN><SPAN>","</SPAN><SPAN class="">server_agent</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN><SPAN>"</SPAN><SPAN class="">ESMTP</SPAN> <SPAN class="">Postfix</SPAN><SPAN> (</SPAN><SPAN class="">Ubuntu</SPAN><SPAN>)","</SPAN><SPAN class="">server_response</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN><SPAN>"</SPAN><SPAN class="">220</SPAN> <SPAN class="">ip-172-31-38-181.us-west-2.compute.internal</SPAN> <SPAN class="">ESMTP</SPAN> <SPAN class="">Postfix</SPAN><SPAN> (</SPAN><SPAN class="">Ubuntu</SPAN><SPAN>)","</SPAN><SPAN class="">server_rtt</SPAN><SPAN>"</SPAN><SPAN class="">:0</SPAN><SPAN>,"</SPAN><SPAN class="">server_rtt_packets</SPAN><SPAN>"</SPAN><SPAN class="">:0</SPAN><SPAN>,"</SPAN><SPAN class="">server_rtt_sum</SPAN><SPAN>"</SPAN><SPAN class="">:0</SPAN><SPAN>,"</SPAN><SPAN class="">src_ip</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN><SPAN>"</SPAN><SPAN class="">104.47.34.68</SPAN><SPAN>","</SPAN><SPAN class="">src_mac</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN><SPAN>"</SPAN><SPAN class="">06:E3:CC:18:AA:33</SPAN><SPAN>","</SPAN><SPAN class="">src_port</SPAN><SPAN>"</SPAN><SPAN class="">:37952</SPAN><SPAN>,"</SPAN><SPAN class="">time_taken</SPAN><SPAN>"</SPAN><SPAN class="">:0</SPAN><SPAN>,"</SPAN><SPAN class="">transport</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN><SPAN>"</SPAN><SPAN class="">tcp</SPAN><SPAN>"}<BR /></SPAN></PRE><P><SPAN class="">I have one more question. The raw data results I searched with index=botsv2 sourcetype="stream:smtp" and Why are the search results with index="botsv2" sourcetype="stream:smtp" attach_filename{}="*" different? The field I want to extract exists in the search results with index="botsv2" sourcetype="stream:smtp" attach_filename{}="*".</SPAN></P><P><BR /><BR />Search Try: index="botsv2" sourcetype="stream:smtp" attach_filename{}="*"</P><PRE><BR /><SPAN>{"</SPAN><SPAN class="">endtime</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN><SPAN>"</SPAN><SPAN class="">2017-08-30T15:08:00.075698Z</SPAN><SPAN>","</SPAN><SPAN class="">timestamp</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN><SPAN>"</SPAN><SPAN class="">2017-08-30T15:07:59.774655Z</SPAN><SPAN>","</SPAN><SPAN class="">ack_packets_in</SPAN><SPAN>"</SPAN><SPAN class="">:0</SPAN><SPAN>,"</SPAN><SPAN class="">ack_packets_out</SPAN><SPAN>"</SPAN><SPAN class="">:31</SPAN><SPAN>,"</SPAN><SPAN class="">attach_disposition</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN><SPAN>["</SPAN><SPAN class="">attachment</SPAN><SPAN>"],"</SPAN><SPAN class="">attach_filename</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN><SPAN>["</SPAN><SPAN class="">Saccharomyces_cerevisiae_patent.docx</SPAN><SPAN>"],"</SPAN><SPAN class="">attach_size</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN><SPAN>[</SPAN><SPAN class="">142540</SPAN><SPAN>],"</SPAN><SPAN class="">attach_size_decoded</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN><SPAN>[</SPAN><SPAN class="">104162</SPAN><SPAN>],"</SPAN><SPAN class="">attach_transfer_encoding</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN><SPAN>["</SPAN><SPAN class="">base64</SPAN><SPAN>"],"</SPAN><SPAN class="">attach_type</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN><SPAN>["</SPAN><SPAN class=""><SPAN class="">application/vnd.openxmlformats</SPAN>-officedocument.wordprocessingml.document</SPAN><SPAN>"],"</SPAN><SPAN class="">bytes</SPAN><SPAN>"</SPAN><SPAN class="">:155976</SPAN><SPAN>,"</SPAN><SPAN class="">bytes_in</SPAN><SPAN>"</SPAN><SPAN class="">:155939</SPAN><SPAN>,"</SPAN><SPAN class="">bytes_out</SPAN><SPAN>"</SPAN><SPAN class="">:37</SPAN><SPAN>,"</SPAN><SPAN class="">capture_hostname</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN><SPAN>"</SPAN><SPAN class="">matar</SPAN><SPAN>","</SPAN><SPAN class="">client_rtt</SPAN><SPAN>"</SPAN><SPAN class="">:0</SPAN><SPAN>,"</SPAN><SPAN class="">client_rtt_packets</SPAN><SPAN>"</SPAN><SPAN class="">:0</SPAN><SPAN>,"</SPAN><SPAN class="">client_rtt_sum</SPAN><SPAN>"</SPAN><SPAN class="">:0</SPAN><SPAN>,"</SPAN><SPAN class="">content</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN><SPAN>["</SPAN><SPAN class="">DKIM-Signature:</SPAN> <SPAN class="">v=1</SPAN><SPAN>; </SPAN><SPAN class="">a=rsa-sha256</SPAN><SPAN>; </SPAN><SPAN class="">c=relaxed/relaxed</SPAN><SPAN>;</SPAN><SPAN class="">\r\n</SPAN> <SPAN class="">d=jacobsmythe111.onmicrosoft.com</SPAN><SPAN>; </SPAN><SPAN class="">s=selector1-froth-ly</SPAN><SPAN>;</SPAN><SPAN class="">\r\n</SPAN> <SPAN class="">h=From:Date:Subject:Message-ID:Content-Type:MIME-Version</SPAN><SPAN>;</SPAN><BR />&nbsp;</PRE><P>&nbsp;</P> Thu, 08 Aug 2024 05:41:53 GMT https://community.splunk.com/t5/Knowledge-Management/Fields-using-regular-expressions/m-p/695639#M10212 silverKi 2024-08-08T05:41:53Z https://community.splunk.com/t5/Knowledge-Management/Fields-using-regular-expressions/m-p/695642#M10213 <P>So, you already have attach_filename{} extracted by Splunk. &nbsp;No need for extra work. &nbsp;Is this correct?</P><P>To answer your question about two searches, when you add an additional filter, you SHOULD expect the result to change. &nbsp;It is obvious that not all events have that attach_filename{} field populated. &nbsp;If you do</P><LI-CODE lang="markup">index="botsv2" sourcetype="stream:smtp" attach_filename{}="*"</LI-CODE><P>you only select those events with this field. &nbsp;Without&nbsp;attach_filename{}="*", you pick up every event, including those that do not have&nbsp;attach_filename{}.</P> Thu, 08 Aug 2024 05:56:07 GMT https://community.splunk.com/t5/Knowledge-Management/Fields-using-regular-expressions/m-p/695642#M10213 yuanliu 2024-08-08T05:56:07Z https://community.splunk.com/t5/Knowledge-Management/Fields-using-regular-expressions/m-p/695644#M10214 <PRE><SPAN class="">Then, how do I change the field name from attach_filename{} to file_name?</SPAN></PRE> Thu, 08 Aug 2024 05:59:30 GMT https://community.splunk.com/t5/Knowledge-Management/Fields-using-regular-expressions/m-p/695644#M10214 silverKi 2024-08-08T05:59:30Z https://community.splunk.com/t5/Knowledge-Management/Fields-using-regular-expressions/m-p/695653#M10217 <P>&nbsp;</P><BLOCKQUOTE><SPAN>Then, how do I change the field name from attach_filename{} to file_name?</SPAN><BR /><HR /></BLOCKQUOTE><P><A href="https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Rename" target="_blank" rel="noopener"><BR />rename</A>&nbsp;is your friend.</P><LI-CODE lang="markup">| rename attach_filename{} as filename</LI-CODE><P>&nbsp;</P> Thu, 08 Aug 2024 07:13:44 GMT https://community.splunk.com/t5/Knowledge-Management/Fields-using-regular-expressions/m-p/695653#M10217 yuanliu 2024-08-08T07:13:44Z https://community.splunk.com/t5/Knowledge-Management/Fields-using-regular-expressions/m-p/695659#M10218 <P>You can change the field name with the "rename" method,<BR />but what I wanted was for the desired field name to be searched<BR />when I searched with just&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">index=botsv2 sourcetype="stream:smtp"</LI-CODE><P>&nbsp;</P><P>---------------------------------------------------------------------------------------------------------------------------------------------</P><PRE><SPAN class="">index=botsv2 sourcetype="stream:smtp" attach_filename{}="*" </SPAN></PRE><P>(Before,, In order to extraact file_name, I had to search for&nbsp; that..)<BR /><BR />I took a hint from your words and solved it in a different way.<BR /><BR />Taking a hint that <STRONG>attach_filename{} was already extracted from splunk</STRONG>,<BR />I created a lookup-file using "spath" and made it "Auto-Lookup".<BR /><BR />Then, the field is now extracted and displayed with just index=botsv2 sourcetype="stream:smtp".<BR /><BR />I really appreciate your help. Thank You <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Thu, 08 Aug 2024 07:50:25 GMT https://community.splunk.com/t5/Knowledge-Management/Fields-using-regular-expressions/m-p/695659#M10218 silverKi 2024-08-08T07:50:25Z https://community.splunk.com/t5/Knowledge-Management/Fields-using-regular-expressions/m-p/695738#M10222 <P>You know there is a field alias feature in Splunk, too. &nbsp;That is a more appropriate solution if you do really want to search by a different name. &nbsp;An extra lookup is clunky and also a compute cost.</P><P>Go to Settings -&gt; Fields -&gt; Field aliases. &nbsp;</P> Thu, 08 Aug 2024 17:54:44 GMT https://community.splunk.com/t5/Knowledge-Management/Fields-using-regular-expressions/m-p/695738#M10222 yuanliu 2024-08-08T17:54:44Z