topic Re: How can I extract a multi value field? in Splunk Search

How can I extract a multi value field?

danielbb — Wed, 13 Nov 2019 14:39:10 GMT

We have a field called IP-Group. It can be empty or it would have this format - IP-Group={xxxx} {yyyy} {zzz}.

Can I extract it until the last } and maybe extract each value separately as well?

Re: How can I extract a multi value field?

danielbb — Wed, 13 Nov 2019 15:15:12 GMT

The following does it -

| makeresults 
| eval xx="IP-Group={xxxx} {yyyy} {zzz}" 
| rex field=xx "IP-Group=(?<yy>.+\})"

But can we generate a distinct field for each value?

Re: How can I extract a multi value field?

mayurr98 — Wed, 13 Nov 2019 15:22:51 GMT

try this:

| makeresults 
| eval xx="IP-Group={xxxx} {yyyy} {zzz}" 
| rex field=xx "IP-Group=\{(?<x>[^\}]+)\}\s+\{(?<y>[^\}]+)\}\s+\{(?<z>[^\}]+)"

Re: How can I extract a multi value field?

ololdach — Wed, 13 Nov 2019 15:23:35 GMT

Hi,
please try this:

|makeresults|eval IP-Group="{ip1} {ip2} {ip3} {ip4}"|makemv delim=" " IP-Group | mvexpand IP-Group | rex field=IP-Group "\{(?<ipvalue>.*)\}

You want to have one event per ip value, because the length of your list is dynamic and there is no other way that comes to my mind to parse a variable number of values from a list.
Hope it helps
Oliver

Re: How can I extract a multi value field?

FrankVl — Wed, 13 Nov 2019 15:24:02 GMT

Distinct fields as in, ipgroup1=xxx, ipgroup2=yyy, ipgroup3=zzz?

If the actual number of items in the multivalued field is dynamic, that is going to be pretty difficult to solve elegantly.

If the number of possible entries is somewhat limited (e.g. max 3) you can do it like this:

| rex field=xx "IP-Group=\{(?<ipgroup1>[^}]+)\}(?:\s+\{(?<ipgroup2>[^}]+)\})?(?:\s+\{(?<ipgroup3>[^}]+)\})?"

See: https://regex101.com/r/RSfFlu/1

This approach can be extended as far as you want, by just appending more (?:\s+\{(?<ipgroup...>[^}]+)\})? parts. But that gets a bit ugly if it can also be 100 entries.

Re: How can I extract a multi value field?

danielbb — Wed, 13 Nov 2019 15:36:34 GMT

I get *Unbalanced quotes. * on that.

Re: How can I extract a multi value field?

mayurr98 — Wed, 13 Nov 2019 15:46:00 GMT

"\{(?<ipvalue>.*)\}" change
add " at the end

Re: How can I extract a multi value field?

danielbb — Wed, 13 Nov 2019 16:37:11 GMT

Great! looks good.

Re: How can I extract a multi value field?

codebuilder — Wed, 13 Nov 2019 16:54:00 GMT

If you are ingesting structured data like JSON or XML, then you can use set kvmode in props.conf for automatic kv field extraction.
I've not personally used it for JSON, but I do use it for XML and it works like a champ, including multi-value fields.

https://docs.splunk.com/Documentation/Splunk/8.0.0/Knowledge/Automatickey-valuefieldextractionsatsearch-time

Re: How can I extract a multi value field?

ololdach — Wed, 13 Nov 2019 18:46:02 GMT

Sorry, cut & paste error 🙂 forgot to paste the final "

Re: How can I extract a multi value field?

vnravikumar — Thu, 14 Nov 2019 03:45:14 GMT

Try this

| makeresults 
| eval temp="IP-Group={xxxx} {yyyy} {zzz}" 
| rex field=temp max_match=0 "\{(?P<result>[^}]+)"

Re: How can I extract a multi value field?

danielbb — Thu, 14 Nov 2019 14:35:10 GMT

Great - this is slick!!!