topic Re: extract multiple values from fields in same event in Splunk Search

extract multiple values from fields in same event

kannu — Mon, 26 Apr 2021 14:47:20 GMT

Hello team ,

I am having one event in which single field have multiple value like provided below:

{"body":{"records": [{ "category": "AzureFirewallNetworkRule", "time": "2021-04-26T13:13:37.0631470Z", "resourceId": "/SUBSCRIPTIONS/**********-*****-****-**/RESOURCEGROUPS/C-ABS-IT-SS-PROD-UKS-RG/PROVIDERS/MICROSOFT.NETWORK/AZUREFIREWALLS/C-ABS-IT-SS-PROD-UKS-FIREWALL", "operationName": "AzureFirewallNetworkRuleLog", "properties": {"msg":"TCP request from 10.119.252.16:64967 to 54.83.8.19:54443. Action: Deny"}},{ "category": "AzureFirewallNetworkRule", "time": "2021-04-26T13:13:37.4217670Z", "resourceId": "/SUBSCRIPTIONS/**********-*****-****-**/RESOURCEGROUPS/C-ABS-IT-SS-PROD-UKS-RG/PROVIDERS/MICROSOFT.NETWORK/AZUREFIREWALLS/C-ABS-IT-SS-PROD-UKS-FIREWALL", "operationName": "AzureFirewallNetworkRuleLog", "properties": {"msg":"TCP request from 10.119.34.12:62142 to 131.100.0.201:5938. Action: Deny"}},{ "category": "AzureFirewallNetworkRule", "time": "2021-04-26T13:13:37.9262290Z", "resourceId": "/SUBSCRIPTIONS/**********-*****-****-**/RESOURCEGROUPS/C-ABS-IT-SS-PROD-UKS-RG/PROVIDERS/MICROSOFT.NETWORK/AZUREFIREWALLS/C-ABS-IT-SS-PROD-UKS-FIREWALL", "operationName": "AzureFirewallNetworkRuleLog", "properties": {"msg":"TCP request from 10.119.252.196:13973 to 40.79.154.87:443. Action: Allow"}}

Above is one single event

from which i want to extract src ip and dest ip

for example 10.119.252.16 is src ip and 54.83.8.19 is dest ip , I want to extract all from backend i dont wana use rex max_match=0 .

Please let me know how can i extract all from backend .

Thanks

Kannu

Re: extract multiple values from fields in same event

ITWhisperer — Mon, 26 Apr 2021 16:07:03 GMT

When you say you want to "extract all from backend", do you mean you want to know how to extracted them at indexing time rather than search time?

Re: extract multiple values from fields in same event

kannu — Tue, 27 Apr 2021 05:52:28 GMT

@ITWhisperer Yes index time

Re: extract multiple values from fields in same event

kannu — Thu, 29 Apr 2021 06:25:55 GMT

Well , I have figured out the answer of my problem ,

Which is first I have extracted the inner json , from main json event , then i have used props.conf to index them using seprate event in that way splunk is taking all field with separate events .

[azure]
LINE_BREAKER=((?<=\}),(?=\{)|[\r\n]+)
TRUNCATE = 0
SHOULD_LINEMERGE = false
SEDCMD-remove_prefix=s/{"body":{"records":.?\[//g
SEDCMD-remove_suffix=s/\]}.*}//g