topic Re: splunks in Splunk Search

splunks

vinod0313 — Thu, 20 Aug 2020 10:23:46 GMT

Hello

I have a log as shown below

FeatureDetails [tokenValidatorInfo=false, requestValidationRequired=false, requestPayloadValidationRequired=false, responsePayloadValidationRequired=false, aopUsed=false, tibcoCommunicatorUsed=false, secretsSecured=false]

i want to show my result like below

tokenValidatorInfo=false
requestValidationRequired=false
requestPayloadValidationRequired=false
responsePayloadValidationRequired=false
aopUsed=false
tibcoCommunicatorUsed=false
secretsSecured=false

Re: splunks

Nisha18789 — Thu, 20 Aug 2020 10:38:27 GMT

Hello @vinod0313 , you can use below query , to remove commas and show the data as multivalued

| eval _raw="FeatureDetails [tokenValidatorInfo=false, requestValidationRequired=false, requestPayloadValidationRequired=false, responsePayloadValidationRequired=false, aopUsed=false, tibcoCommunicatorUsed=false, secretsSecured=false]"
| rex field=_raw "FeatureDetails \[(?<_raw>.*)\]"
| makemv delim="," _raw

Hope this helps!

Please upvote my response if this resolves the issue.

Re: splunks

gcusello — Thu, 20 Aug 2020 10:58:46 GMT

Hi @vinod0313,

if it's acceptable for you to have a table with the field name in a column and the value in another column, you could run something like this:

| makeresults | eval _raw="FeatureDetails [tokenValidatorInfo=false, requestValidationRequired=false, requestPayloadValidationRequired=false, responsePayloadValidationRequired=false, aopUsed=false, tibcoCommunicatorUsed=false, secretsSecured=false]" | rex "tokenValidatorInfo\=(?<tokenValidatorInfo>[^,]*), requestValidationRequired\=(?<requestValidationRequired>[^,]*), requestPayloadValidationRequired\=(?<requestPayloadValidationRequired>[^,]*), responsePayloadValidationRequired\=(?<responsePayloadValidationRequire>[^,]*), aopUsed\=(?<aopUsed>[^,]*), tibcoCommunicatorUsed\=(?<tibcoCommunicatorUsed>[^,]*), secretsSecured\=(?<secretsSecured>[^\]]*)" | fields - _raw - _time | transpose | eval ppp=column."=".row1

If otherwise you want field=value, you could run something like this:

Ciao.

Giuseppe

Re: splunks

vinod0313 — Fri, 21 Aug 2020 05:57:50 GMT

After trying with your suggested query i am getting below response

i am not getting the result as asked like below

tokenValidatorInfo=false
requestValidationRequired=false
requestPayloadValidationRequired=false
responsePayloadValidationRequired=false
aopUsed=false
tibcoCommunicatorUsed=false
secretsSecured=false

Re: splunks

Nisha18789 — Fri, 21 Aug 2020 09:37:40 GMT

Hi , replace |makemv with below

| rex field=_raw mode=sed "s/, /\n/g"

or,

| rex field=_raw mode=sed "s/,/\n/g"

Hi @vinod0313 , adding a reference screenshot with the test query with which it splitting the , by a new line in _raw events

index=_internal "," sourcetype=itsi_internal_log
| rex field=_raw mode=sed "s/,/\n/g"

Re: splunks

gcusello — Fri, 21 Aug 2020 09:00:19 GMT

Hi @vinod0313,

Please try mine:

Ciao.

Giuseppe

Re: splunks

vinod0313 — Fri, 21 Aug 2020 09:01:59 GMT

tried but it didnt worked.

Re: splunks

gcusello — Fri, 21 Aug 2020 09:06:52 GMT

Hi @vinod0313,

what result do you have if you run:

Your_search | rex "tokenValidatorInfo\=(?<tokenValidatorInfo>[^,]*), requestValidationRequired\=(?<requestValidationRequired>[^,]*), requestPayloadValidationRequired\=(?<requestPayloadValidationRequired>[^,]*), responsePayloadValidationRequired\=(?<responsePayloadValidationRequire>[^,]*), aopUsed\=(?<aopUsed>[^,]*), tibcoCommunicatorUsed\=(?<tibcoCommunicatorUsed>[^,]*), secretsSecured\=(?<secretsSecured>[^\]]*)"

are the fields extracted or not?

if yes, using the other commands you can have the format you want.

If not, this means that the logs are different so the rex command fails.

In this case, could you share some other example of your logs?

Ciao.

Giuseppe