topic Re: Multi Valued Field Help in Splunk Search

Multi Valued Field Help

ghostdog920 — Thu, 02 May 2019 15:17:40 GMT

I have looked at a ton of posts about breaking a multivalued field but having zero luck effecting a solution. I have a csv file that i have imported into splunk. In one of the fields, it contains data like this:

Subject Name: Country: US State/Province: Virginia Locality: Glen Allen

I thought i could do field extractions to turn things like Country: into a field with the value of US, but no luck. I have looked at eval, split, regex, and mvexpand but can't seem to get the right combo/syntax to do what i want. Can someone lend me their expertise in resolving?

Ideally once i break this field up into its individual pieces i want to create a dashboard that check one of them and ties it to all its records. Worry for another day if i can't break up the field.

Re: Multi Valued Field Help

Sukisen1981 — Thu, 02 May 2019 16:37:40 GMT

This is a bit unclear, assuming you extract the country value from the example you have shown above into a new field using rex ,let's call it cntry. Now, for each column of the CSV having this field you should get your values for cntry.
Can you elaborate a bit more?

Re: Multi Valued Field Help

woodcock — Thu, 02 May 2019 16:49:50 GMT

Like this:

... | rex "Country:\s+(?<Country>.*?)\s+State\/Province:\s+(?<State>.*?)\s+Locality:\s+(?<Locality>.*)$"

Re: Multi Valued Field Help

ghostdog920 — Thu, 02 May 2019 16:53:25 GMT

Can definitely elaborate. Basically we are using Nessus to scan the environment for SSL certificates with the idea of creating a report to identify certs that will be expiring. So the output from nessus is say 10 columns (what i am calling fields) comma delimited that Splunk picks up on. Unfortunately one of those columns houses the elements that individually house about 10 attributes i really want to pull out as fields. I.E. Subject Name:, Common Name:, Country:, State/province:, Issue Date:, etc.

Re: Multi Valued Field Help

ghostdog920 — Thu, 02 May 2019 16:55:55 GMT

WIth this expression, and excuse my ignorance, the rex creates extractions that go where? Or maybe a better way to ask is if i do that and don't see fields created for the attributes, how do i reference those rex values for a table (as an example)?

Re: Multi Valued Field Help

Sukisen1981 — Thu, 02 May 2019 17:03:23 GMT

it should be visible in the left hand side or append |table Country,State,Locality
Are you able to see those values in a table now?

Re: Multi Valued Field Help

ghostdog920 — Thu, 02 May 2019 17:10:37 GMT

Ok, unfortunately I do not see those "fields" if you will on the left side nav bar, nor does the table output anything other than the headers with no data.

Re: Multi Valued Field Help

woodcock — Thu, 02 May 2019 17:20:01 GMT

Show us 1 full sample event and also the SPL that you are using.

Re: Multi Valued Field Help

ghostdog920 — Thu, 02 May 2019 17:26:57 GMT

Re: Multi Valued Field Help

ghostdog920 — Thu, 02 May 2019 17:27:15 GMT

Is this legible enough?

Re: Multi Valued Field Help

Sukisen1981 — Thu, 02 May 2019 17:35:08 GMT

Try index=nessus|rename "Plugin Output" as plug_out| rex field=_plug_out"Country:\s+(?<Country>.*?)\s+State\/Province:\s+(?<State>.*?)\s+Locality:\s+(?<Locality>.*)$"

@woodcock 's rex is correct and will work. check using table

Re: Multi Valued Field Help

Sukisen1981 — Thu, 02 May 2019 19:22:55 GMT

| makeresults 
| eval plug_out="Subject Name: Country: US State/Province: Virginia Locality: Glen Allen" 
| rex field=plug_out "Country:\s+(?<Country>.*?)\s+State\/Province:\s+(?<State>.*?)\s+Locality:\s+(?<Locality>.*)$"

Re: Multi Valued Field Help

ghostdog920 — Thu, 02 May 2019 19:22:56 GMT

Still no go. Thanks for all your help with this though as i wouldn't have gotten this far without you.

Re: Multi Valued Field Help

Sukisen1981 — Wed, 30 Sep 2020 00:24:46 GMT

remove the quotes you put ahead of plug_out in the rex , copy and paste this | makeresults |eval plug_out="Subject Name: Country: US State/Province: Virginia Locality: Glen Allen" | rex field=plug_out "Country:\s+(?.*?)\s+State\/Province:\s+(?.*?)\s+Locality:\s+(?.*)$"

Re: Multi Valued Field Help

ghostdog920 — Wed, 30 Sep 2020 00:22:03 GMT

Tried this:
index=nessus| makeresults |eval plug_out="Subject Name: Country: US State/Province: Virginia Locality: Glen Allen" | rex field=plug_out "Country:\s+(?.?)\s+State\/Province:\s+(?.?)\s+Locality:\s+(?.*)$"

And got this:
Error in 'rex' command: Encountered the following error while compiling the regex 'Country:\s+(?.?)\s+State\/Province:\s+(?.?)\s+Locality:\s+(?.*)$': Regex: unrecognized character after (? or (?-
The search job has failed due to an error. You may be able view the job in the Job Inspector.

Re: Multi Valued Field Help

ghostdog920 — Wed, 30 Sep 2020 00:22:00 GMT

So sorry, thought i responded back. I tried this:

index=nessus| makeresults |eval plug_out="Subject Name: Country: US State/Province: Virginia Locality: Glen Allen" | rex field=plug_out "Country:\s+(?.?)\s+State\/Province:\s+(?.?)\s+Locality:\s+(?.*)$"

And i got this output:

Error in 'rex' command: Encountered the following error while compiling the regex 'Country:\s+(?.?)\s+State\/Province:\s+(?.?)\s+Locality:\s+(?.*)$': Regex: unrecognized character after (? or (?-
The search job has failed due to an error. You may be able view the job in the Job Inspector.

Thoughts on where i messed up?

Re: Multi Valued Field Help

Sukisen1981 — Thu, 02 May 2019 19:22:58 GMT

this will give you a 1 line sample output , is this what you need but for all lines of your csv?

Re: Multi Valued Field Help

Sukisen1981 — Thu, 02 May 2019 19:22:59 GMT

wait a sec its copying out incorrectly from my splunk browser to here

Re: Multi Valued Field Help

Sukisen1981 — Thu, 02 May 2019 19:23:48 GMT

there you go just copy and paste it this one line works...sorry i guess the code copy in the comments was eating out some stuff from the rex

Re: Multi Valued Field Help

Sukisen1981 — Thu, 02 May 2019 19:26:31 GMT

if this works as it should all you need to do is append index=nessus|rename "Plugin Output" as plug_out before the rex , remove makeresults & the hard coded eval