https://community.splunk.com/t5/Splunk-Search/parsing-multivalue-subfields-in-cisco-ise/m-p/481272#M134864 <PRE><CODE>| makeresults | eval _raw="calling-Station-ID=15.15.15.15, NAS-Port-Type=Virtual, Tunnel-Client-Endpoint=(tag=0) 95.90.193.23, cisco-av-pair=mdm-tlv=device-platform=win, cisco-av-pair=mdm-tlv=device-mac=cc-ed-ce-f9-af-47, cisco-av-pair=mdm-tlv=device-platform-version=6.3.9600 , cisco-av-pair=mdm-tlv=device-type=FUJITSU LIFEBOOK E744, cisco-av-pair=mdm-tlv=device-public-mac=ab-bd-ce-f9-af-47, cisco-av-pair=mdm-tlv=ac-user-agent=AnyConnect Windows 4.6.01103, cisco-av-pair=mdm-tlv=device-uid=C3FFF95AFDEE9CBA21839EA8D594D7F87165993CE2C8853A262179F90AC70167," | rex mode=sed "s/cisco-av-pair=mdm-tlv=//g" | extract pairdelim="," kvdelim="=" </CODE></PRE> <P>props.conf</P> <PRE><CODE>SEDCMD-trim = s/cisco-av-pair=mdm-tlv=//g </CODE></PRE> Tue, 21 Apr 2020 22:51:16 GMT to4kawa 2020-04-21T22:51:16Z https://community.splunk.com/t5/Splunk-Search/parsing-multivalue-subfields-in-cisco-ise/m-p/481271#M134863 <P>Hi,</P> <P>we have from a cisco ISE a syslog like this one:</P> <P>calling-Station-ID=15.15.15.15, NAS-Port-Type=Virtual, Tunnel-Client-Endpoint=(tag=0) 95.90.193.23, cisco-av-pair=mdm-tlv=device-platform=win, cisco-av-pair=mdm-tlv=device-mac=cc-ed-ce-f9-af-47, cisco-av-pair=mdm-tlv=device-platform-version=6.3.9600 , cisco-av-pair=mdm-tlv=device-type=FUJITSU LIFEBOOK E744, cisco-av-pair=mdm-tlv=device-public-mac=ab-bd-ce-f9-af-47, cisco-av-pair=mdm-tlv=ac-user-agent=AnyConnect Windows 4.6.01103, cisco-av-pair=mdm-tlv=device-uid=C3FFF95AFDEE9CBA21839EA8D594D7F87165993CE2C8853A262179F90AC70167,</P> <P>The key=value extraction works fine. But I have a multi-value field called cisco-av-pair containing these values:<BR /> ..<BR /> mdm-tlv=device-platform-version=6.3.9600<BR /> mdm-tlv=device-uid=C3..<BR /> ..</P> <P>I would like to have the mdm-tlv prefix cut-off and have the key/value extraction on the subfields. At the end there should be these single-value fields:<BR /> device-platform-version , device-uid, device-platform <BR /> with the corresponding values.</P> <P>How is that done in props/transforms? <BR /> I know I can write a regex doing this stuff, but a more generic way without explicit naming the fields would be fine.</P> Tue, 21 Apr 2020 14:56:43 GMT https://community.splunk.com/t5/Splunk-Search/parsing-multivalue-subfields-in-cisco-ise/m-p/481271#M134863 tfechner 2020-04-21T14:56:43Z https://community.splunk.com/t5/Splunk-Search/parsing-multivalue-subfields-in-cisco-ise/m-p/481272#M134864 <PRE><CODE>| makeresults | eval _raw="calling-Station-ID=15.15.15.15, NAS-Port-Type=Virtual, Tunnel-Client-Endpoint=(tag=0) 95.90.193.23, cisco-av-pair=mdm-tlv=device-platform=win, cisco-av-pair=mdm-tlv=device-mac=cc-ed-ce-f9-af-47, cisco-av-pair=mdm-tlv=device-platform-version=6.3.9600 , cisco-av-pair=mdm-tlv=device-type=FUJITSU LIFEBOOK E744, cisco-av-pair=mdm-tlv=device-public-mac=ab-bd-ce-f9-af-47, cisco-av-pair=mdm-tlv=ac-user-agent=AnyConnect Windows 4.6.01103, cisco-av-pair=mdm-tlv=device-uid=C3FFF95AFDEE9CBA21839EA8D594D7F87165993CE2C8853A262179F90AC70167," | rex mode=sed "s/cisco-av-pair=mdm-tlv=//g" | extract pairdelim="," kvdelim="=" </CODE></PRE> <P>props.conf</P> <PRE><CODE>SEDCMD-trim = s/cisco-av-pair=mdm-tlv=//g </CODE></PRE> Tue, 21 Apr 2020 22:51:16 GMT https://community.splunk.com/t5/Splunk-Search/parsing-multivalue-subfields-in-cisco-ise/m-p/481272#M134864 to4kawa 2020-04-21T22:51:16Z https://community.splunk.com/t5/Splunk-Search/parsing-multivalue-subfields-in-cisco-ise/m-p/481273#M134865 <P>ok - this is the easy way - works. will use this.</P> <P>But the original _raw is altered.<BR /> I thought it might be a solution like:<BR /> DELIM="cisco-av-pair=mdm-tlv","=",</P> Wed, 22 Apr 2020 06:33:06 GMT https://community.splunk.com/t5/Splunk-Search/parsing-multivalue-subfields-in-cisco-ise/m-p/481273#M134865 tfechner 2020-04-22T06:33:06Z