topic Re: Field extraction needed in Splunk Search

How do I search field extraction for table?

mbasharat — Tue, 18 Jul 2023 00:51:47 GMT

Hi,

I have below scenario. Image_Name and Name_Space are being ingested with below variations in table A. Image_name is a multivalued field as shown. I tried using makemv delim but it doesnt work because there is no delimiter e.g. space between the two. I need them separated out as in table B. Thanks in advance!

Table A:

Image_Name	Name_Space
<none> c-ecm-dev/das-dynamic-filter-services	c-ecm-dev
<none>	cs-webapps-sat
NULL	NULL
NULL	c-aoic-dev
c-ecm-dev/das-dynamic-filter-services c-ecm-sat/irtf-das-service	c-ecm-sat
c-ecm-dev/das-dynamic-filter-services cpopen/ibm-watson-speech-catalog	openshift-marketplace
c-ecm-sbx/das-pay-gov-services iam-essar-aqt1/iam-essar-aqt1	NULL
c-ecm-sbx/das-rendering-service	sysdig
cs-webapps-sbx/baldue-bwas c-ecm-dev/das-rendering-service	c-ecm-dev

Table B:

Image_Name	Name_Space
<none>	c-ecm-dev
c-ecm-dev/das-dynamic-filter-services	c-ecm-dev
<none>	cs-webapps-sat
NULL	NULL
NULL	c-aoic-dev
c-ecm-dev/das-dynamic-filter-services	c-ecm-sat
c-ecm-sat/irtf-das-service	c-ecm-sat
c-ecm-dev/das-dynamic-filter-services	openshift-marketplace
cpopen/ibm-watson-speech-catalog	openshift-marketplace
c-ecm-sbx/das-pay-gov-services	NULL
iam-essar-aqt1/iam-essar-aqt1	NULL
c-ecm-sbx/das-rendering-service	sysdig
cs-webapps-sbx/baldue-bwas	c-ecm-dev
c-ecm-dev/das-rendering-service	c-ecm-dev

Re: Field extraction needed

gcusello — Fri, 14 Jul 2023 06:15:07 GMT

Hi @mbasharat,

to help you, I need the raw events, could you share them?

anyway, probably with a regex it should be possible to separate values.

Ciao.

Giuseppe

Re: Field extraction needed

VatsalJagani — Fri, 14 Jul 2023 06:19:38 GMT

@mbasharat - It's possible if its already a multi-valued field and that's why you are seeing them like that. If so, try below at the end of your search and see if that works:

| mvexpand Image_Name

Loose nothing in trying out!!

Re: Field extraction needed

mbasharat — Fri, 14 Jul 2023 12:42:53 GMT

Hi @VatsalJagani

I had tried it and it did not work.

Re: Field extraction needed

mbasharat — Fri, 14 Jul 2023 13:03:57 GMT

Hi @gcusello

See few raw samples below. Field names are imageName and namespace. I have everything coming normalized except imageName which need to be split up inparallel with namespace the way I have provided in Table B.

Sample1:
07/13/2023 17:55:05 +0000, search_name="Sample", search_now=1689271860.000, info_min_time=1686614400.000, info_max_time=1689271894.612, info_search_time=1689271892.776, IP="1.2.3.4", OS="Red Hat Enterprise Linux CoreOS 4.11", DNS=sampledns1, GSS="sample1", qid=241759, AO="user1.com", cveids="CVE-2023-1667 CVE-2023-2283", result="#table cols=\"3\"
Package Installed_Version Required_Version
libssh-config 0.9.6-3.el8.noarch 0.9.6-10.el8__8
libssh 0.9.6-3.el8.x86__64 0.9.6-10.el8__8", imageId=05ac522d3e87, isDrift=false, CATEGORY=SERVER, ISSO="sampleisso1", PROJECTS=NULL, hostname=sampledns1, imageSha=0000000000000000000000000000000000000000, os_group=OTHER, LAST_SEEN="2023-07-12T20:18:15Z", imageName="<none>", imageUuid="0000000000000000000000", namespace="c-ecm-dev", vulnTitle="Red Hat Update for libssh (RHSA-2023:3839)", containerState=RUNNING, softwareFixVersion="0.9.6-10.el8__8", PRJ_GROUP_EMAIL="projemail1@sample.com", Business_Group=UNASSIGNED, vulnFirstfound="2023-07-13T06:35:03Z", imageScanType=null, POC_EMAIL="poc1@sample.come", cvss3TemporalScore="5.9", SYSTEMNAME=NULL, RESPONSIBILITY_CODE="sample respcode", vulnLastfound="2023-07-13T06:35:03Z", cvss3BaseScore="6.5", AO_EMAIL="sampleemail.com", POC_NAME="sample user", PRJ_NAME=ABC, Severity=Moderate, Environment=DEV, containerId=123456789, ISSO_EMAIL="sample3.com", containerSha=000000000000000000000000000000000000000000, softwareVersion="0.9.6-3.el8", softwareName="libssh libssh-config", vulnCategory=RedHat, vulnSolution="Refer to Red Hat security advisory <A HREF='https://access.redhat.com/errata/RHSA-2023:3839' TARGET='_blank'>RHSA-2023:3839</A> for updates and patch information.
Patch: 
Following are links for downloading patches to fix the vulnerabilities:
 <A HREF='https://access.redhat.com/errata/RHSA-2023:3839' TARGET='_blank'>RHSA-2023:3839:Red Hat Enterprise Linux</A>", containerCreated="2023-07-13T06:31:14Z", containerUpdated="2023-07-13T06:35:03Z"

Sample2:
07/14/2023 11:39:39 +0000, search_name="sample", search_now=1689336660.000, info_min_time=1686700800.000, info_max_time=1689336695.166, info_search_time=1689336692.365, IP=NULL, OS=NULL, DNS=NULL, GSS=NULL, qid=500500, AO=NULL, cveids="CVE-2022-0778", result="#table cols=\"3\"
Package Installed_Version Required_Version
libcrypto1.1 1.1.1k-r0 1.1.1n-r0
libssl1.1 1.1.1k-r0 1.1.1n-r0", imageId=24ae535b6904, isDrift=false, CATEGORY=NULL, ISSO=NULL, PROJECTS=NULL, hostname=samplehost, imageSha=000000000000000000000000000000, os_group=NULL, LAST_SEEN=NULL, imageName="c-ecm-dev/mtrdb-integration", imageUuid="000000000-00000000000000000-000000000000000", namespace="sysdig-sdc-cli", vulnTitle="Alpine Linux Security Update for Open Secure Sockets Layer (OpenSSL)", containerState=RUNNING, softwareFixVersion="1.1.1n-r0", PRJ_GROUP_EMAIL=NULL, Business_Group=UNASSIGNED, vulnFirstfound="2023-07-09T18:18:06Z", imageScanType=null, POC_EMAIL=NULL, cvss3TemporalScore="6.7", SYSTEMNAME=NULL, RESPONSIBILITY_CODE=NULL, vulnLastfound="2023-07-09T18:18:06Z", cvss3BaseScore="7.5", AO_EMAIL=NULL, POC_NAME=NULL, PRJ_NAME=NULL, Severity=High, Environment=NULL, containerId=123456789, ISSO_EMAIL=NULL, containerSha=000000000000000000000000000000000000, softwareVersion="1.1.1k-r0", softwareName="libcrypto1.1 libssl1.1", vulnCategory="Alpine Linux", vulnSolution="Refer to Alpine Linux advisory <A HREF='https://security.alpinelinux.org/srcpkg/openssl' TARGET='_blank'>openssl</A> for updates and patch information.
Patch: 
Following are links for downloading patches to fix the vulnerabilities:
 <A HREF='https://security.alpinelinux.org/srcpkg/openssl' TARGET='_blank'>openssl-1.1.1n-r0:Alpine Linux</A>", containerCreated="2023-07-09T18:13:48Z", containerUpdated="2023-07-09T18:18:06Z"

Sample3:
07/13/2023 17:40:56 +0000, search_name="sample", search_now=1689271860.000, info_min_time=1686614400.000, info_max_time=1689271894.612, info_search_time=1689271892.776, IP="0.0.0.0", OS="Red Hat Enterprise Linux CoreOS 4.11", DNS=sampledns, GSS="samplegss", qid=241757, AO="sampleuser@sample.com", cveids="CVE-2023-26604", result="#table cols=\"3\"
Package Installed_Version Required_Version
systemd-libs 239-68.el8__7.4.x86__64 239-74.el8__8.2", imageId=dcbb6b8e07e2, isDrift=false, CATEGORY=SERVER, ISSO="sample", PROJECTS=NULL, hostname=samplehostname, imageSha=00000000000000000000000000000000, os_group=OTHER, LAST_SEEN="2023-07-12T20:33:03Z", imageName="wi-irps-sat/ir-data-certification-sat
c-ecm-dev/irtf-das-service", imageUuid="0000000000-00000000000-000000000000", namespace="c-ecm-dev", vulnTitle="Red Hat Update for systemd (RHSA-2023:3837)", containerState=RUNNING, softwareFixVersion="239-74.el8__8.2", PRJ_GROUP_EMAIL="sampleuser@sample.com", Business_Group=UNASSIGNED, vulnFirstfound="2023-07-03T10:55:11Z", imageScanType="null
null", POC_EMAIL="sampleuser@sample.com", cvss3TemporalScore="7.0", SYSTEMNAME=NULL, RESPONSIBILITY_CODE="ENTERPRISE CONTAINER", vulnLastfound="2023-07-03T10:55:11Z", cvss3BaseScore="7.8", AO_EMAIL="sampleuser@sample.com", POC_NAME="sample user", PRJ_NAME=ECM, Severity=High, Environment=DEV, containerId=1234564897, ISSO_EMAIL="sampleuser@sample.com", containerSha=0000000000000000000000000000000000, softwareVersion="239-68.el8_7.4", softwareName="systemd-libs", vulnCategory=RedHat, vulnSolution="Refer to Red Hat security advisory <A HREF='https://access.redhat.com/errata/RHSA-2023:3837' TARGET='_blank'>RHSA-2023:3837</A> for updates and patch information.
Patch: 
Following are links for downloading patches to fix the vulnerabilities:
 <A HREF='https://access.redhat.com/errata/RHSA-2023:3837' TARGET='_blank'>RHSA-2023:3837:Red Hat Enterprise Linux</A>", containerCreated="2023-07-03T10:51:50Z", containerUpdated="2023-07-03T10:55:11Z"

Re: Field extraction needed

VatsalJagani — Sat, 15 Jul 2023 15:19:03 GMT

As @gcusello mentioned kindly share the _raw events so we can guide you.

Re: Field extraction needed

mbasharat — Sat, 15 Jul 2023 23:16:26 GMT

Hi folks,

See below 4 samples. Field names are namespace and imageName in the events. Much appreciated!!!

07/14/2023 23:37:50 +0000, search_name="Sample", search_now=1689379860.000, info_min_time=1686787200.000, info_max_time=1689379897.133, info_search_time=1689379894.139, IP=NULL, OS=NULL, DNS=NULL, GSS=NULL, qid=650035, AO=NULL, cveids="CVE-2020-14145", result="Vulnerable version of OpenSSH Detected:OpenSSH_8.2p1 Ubuntu-4ubuntu0.5, OpenSSL 1.1.1f 31 Mar 2020", imageId=45a89e408277, isDrift=false, CATEGORY=NULL, ISSO=NULL, PROJECTS=NULL, hostname="test.com", imageSha=000000000000000000000000000000, os_group=NULL, LAST_SEEN=NULL, imageName="raas/jggmb/graph-analysis", imageUuid="0000000000-000000000000-000000000", namespace=NULL, vulnTitle="OpenSSH Information Disclosure Vulnerability (Generic)", containerState=RUNNING, softwareFixVersion=NULL, PRJ_GROUP_EMAIL=NULL, Business_Group=UNASSIGNED, vulnFirstfound="2023-07-06T18:16:21Z", imageScanType=null, POC_EMAIL=NULL, cvss3TemporalScore="5.4", SYSTEMNAME=NULL, RESPONSIBILITY_CODE=NULL, vulnLastfound="2023-07-06T18:16:21Z", cvss3BaseScore="5.9", AO_EMAIL=NULL, POC_NAME=NULL, PRJ_NAME=NULL, Severity=Moderate, Environment=NULL, containerId=000000000000, EMAIL=NULL, containerSha=000000000000000000000000000000000, softwareVersion=NULL, softwareName=NULL, vulnCategory="Security Policy", vulnSolution="OpenSSH team committed a partial mitigation of this issue which is included in openssh 8.4.

Refer to <A HREF='https://www.openssh.com/' TARGET='_blank'>OpenSSH 8.4</A> for details.", containerCreated="2023-07-06T18:08:01Z", containerUpdated="2023-07-06T18:16:21Z"

07/15/2023 00:10:08 +0000, search_name="sample", search_now=1689379860.000, info_min_time=1686787200.000, info_max_time=1689379897.133, info_search_time=1689379894.139, IP="0.0.0.0", OS="Red Hat Enterprise Linux Server 7.9", DNS="sample.com", GSS="TestGSS", qid=199358, AO=NULL, cveids="CVE-2019-17594 CVE-2019-17595 CVE-2021-39537 CVE-2022-29458 CVE-2023-29491", result="#table cols=\"3\" Package Installed_Version Required_Version libtinfo6 6.2-0ubuntu2 6.2-0ubuntu2.1 libncurses6 6.2-0ubuntu2 6.2-0ubuntu2.1 ncurses-bin 6.2-0ubuntu2 6.2-0ubuntu2.1 ncurses-base 6.2-0ubuntu2 6.2-0ubuntu2.1 libncursesw6 6.2-0ubuntu2 6.2-0ubuntu2.1", imageId=976ed922248e, isDrift=true, CATEGORY=SERVER, ISSO=NULL, PROJECTS=NULL, hostname="test.com", imageSha=00000000000000000000000000, os_group="RHEL 7", LAST_SEEN="2023-07-14T07:32:50Z", imageName="raas/cdw-api", imageUuid="000000000000-0000000000000000-00000000000", namespace=xyz, vulnTitle="Ubuntu Security Notification for ncurses Vulnerabilities (USN-6099-1)", containerState=RUNNING, softwareFixVersion="6.2-0ubuntu2.1", PRJ_GROUP_EMAIL=NULL, Business_Group=UNASSIGNED, vulnFirstfound="2023-05-27T00:52:20Z", imageScanType=null, POC_EMAIL=NULL, cvss3TemporalScore="7.9", SYSTEMNAME=ADMIN, RESPONSIBILITY_CODE="ABC Group", vulnLastfound="2023-07-13T20:02:42Z", cvss3BaseScore="8.8", AO_EMAIL=NULL, POC_NAME=NULL, PRJ_NAME=NULL, Severity=High, Environment=NULL, containerId=00000000000, ISSO_EMAIL=NULL, containerSha=0000000000000000000000000000000000000000, softwareVersion="6.2-0ubuntu2", softwareName="libncurses6:amd64 libncursesw6:amd64 libtinfo6:amd64 ncurses-base ncurses-bin", vulnCategory=Ubuntu, vulnSolution="Refer to Ubuntu security advisory <A HREF='https://ubuntu.com/security/notices/USN-6099-1' TARGET='_blank'>USN-6099-1</A> for updates and patch information. Patch: Following are links for downloading patches to fix the vulnerabilities: <A HREF='https://ubuntu.com/security/notices/USN-6099-1' TARGET='_blank'>USN-6099-1:Ubuntu Linux</A>", containerCreated="2023-05-18T23:41:47Z", containerUpdated="2023-07-13T20:02:42Z"

07/14/2023 23:43:10 +0000, search_name="Sample", search_now=1689379860.000, info_min_time=1686787200.000, info_max_time=1689379897.133, info_search_time=1689379894.139, IP=NULL, OS=NULL, DNS=NULL, GSS=NULL, qid=106124, AO=NULL, cveids=NULL, result="#table cols=\"1\" End_of_Life_Node.js_version_Detected___node:_'17.8.0',_/opt/conda/envs/rapids", imageId=bd2ba01f6d48, isDrift=false, CATEGORY=NULL, ISSO=NULL, PROJECTS=NULL, hostname="sample.com", imageSha=000000000000000000000000000000000, os_group=NULL, LAST_SEEN=NULL, imageName="raas/bpa-lab/rapidsai-22.08-cuda11.4-centos7-py3.8", imageUuid="000000000000-0000000000000-0000000000000", namespace=NULL, vulnTitle="EOL/Obsolete Software: Node.js 17.x Detected", containerState=RUNNING, softwareFixVersion=NULL, PRJ_GROUP_EMAIL=NULL, Business_Group=UNASSIGNED, vulnFirstfound="2023-07-11T18:47:56Z", imageScanType=null, POC_EMAIL=NULL, cvss3TemporalScore="9.0", SYSTEMNAME=NULL, RESPONSIBILITY_CODE=NULL, vulnLastfound="2023-07-13T21:54:18Z", cvss3BaseScore="9.8", AO_EMAIL=NULL, POC_NAME=NULL, PRJ_NAME=NULL, Severity=Critical, Environment=NULL, containerId=000000000000, ISSO_EMAIL=NULL, containerSha=00000000000000000000000000, softwareVersion=NULL, softwareName=NULL, vulnCategory="Security Policy", vulnSolution=NULL, containerCreated="2023-07-11T18:37:46Z", containerUpdated="2023-07-13T21:54:18Z"

07/15/2023 12:06:38 +0000, search_name="Sample", search_now=1689423060.000, info_min_time=1686787200.000, info_max_time=1689423094.363, info_search_time=1689423092.507, IP="0.0.0.0", OS="Red Hat Enterprise Linux Server 7.9", DNS="sample.com", GSS="Test1", qid=180276, AO=NULL, cveids="CVE-2021-46663", result="#table cols=\"3\" Package Installed_Version Required_Version mariadb-common 1:10.3.18-0+deb10u1 1:10.3.36-0+deb10u2 libmariadb3 1:10.3.18-0+deb10u1 1:10.3.36-0+deb10u2", imageId=cf879a45faaa, isDrift=true, CATEGORY=SERVER, ISSO=NULL, PROJECTS=ABC, hostname="sample.com", imageSha=000000000000000000, os_group="RHEL 7", LAST_SEEN="2023-07-15T00:59:17Z", imageName=postgres, imageUuid="0000000000000000", namespace=abcd, vulnTitle="Debian Security Update for mariadb-10.5mariadb-10.3 (CVE-2021-46663)", containerState=RUNNING, softwareFixVersion="1:10.3.36-0+deb10u2", PRJ_GROUP_EMAIL=NULL, Business_Group=UNASSIGNED, vulnFirstfound="2023-01-13T22:09:56Z", imageScanType=null, POC_EMAIL=NULL, cvss3TemporalScore="5.0", SYSTEMNAME=CDW, RESPONSIBILITY_CODE="XYZ", vulnLastfound="2023-06-20T18:38:31Z", cvss3BaseScore="5.5", AO_EMAIL=NULL, POC_NAME=NULL, PRJ_NAME=NULL, Severity=Moderate, Environment=NULL, containerId=0d74dc575dfb, ISSO_EMAIL=NULL, containerSha=0000000000000000000000000000000000000000, softwareVersion="1:10.3.18-0+deb10u1", softwareName="libmariadb3:amd64 mariadb-common", vulnCategory=Debian, vulnSolution="Refer to Debian security advisory <A HREF='https://security-tracker.debian.org/tracker/CVE-2021-46663' TARGET='_blank'>CVE-2021-46663</A> for updates and patch information. Patch: Following are links for downloading patches to fix the vulnerabilities: <A HREF='https://security-tracker.debian.org/tracker/CVE-2021-46663' TARGET='_blank'>CVE-2021-46663:Debian</A>", containerCreated="2020-05-08T01:54:27Z", containerUpdated="2023-06-20T21:20:51Z"

Re: Field extraction needed

yuanliu — Sun, 16 Jul 2023 03:10:06 GMT

This gets even more confusion. Exemplified data show no multivalued imageName in any event.

imageName	namespace
raas/jggmb/graph-analysis	NULL
raas/cdw-api	xyz
raas/bpa-lab/rapidsai-22.08-cuda11.4-centos7-py3.8	NULL
postgres	abcd

Re: Field extraction needed

gcusello — Sun, 16 Jul 2023 08:50:24 GMT

Gi @VatsalJagani,

ok, in each event there's one value for both the fields, so you have to use stats and mvexpand commands, something like this:

<your_search> | stats values(Image_Name) AS Image_Name BY Name_Space | mvexpand Image_Name | table Image_Name Name_Space

Ciao.

Giuseppe

Re: Field extraction needed

mbasharat — Sun, 16 Jul 2023 15:11:15 GMT

Hi yuanlu,

Yes it does. See below from Event #3:

imageName="raas/jggmb/graph-analysis"

Which is actually needed as below since there can be multiple imageName in each namespace separated by /:

namespace imageName
NULL raas
NULL iggmb
NULL graph-analysis

The challenge is not the /, it is that imageName can be multivalued field as below which I had mentioned in the very first post sample. The issue is the mv because there is no delimiter between the first and second value of mv as shown below:

namespace imageName
c-esm-sat c-ecm-dev/das-dynamic-filter-services/sample
c-ecm-sat/irtf-das-service

And this needs to be first extracted as below:

namespace imageName
c-esm-sat c-ecm-dev/das-dynamic-filter-services/sample
c-esm-sat c-ecm-sat/irtf-das-service

And final results are to be:

namespace Environment imageName
c-esm-sat c-ecm-dev /das-dynamic-filter-services
c-esm-sat c-ecm-dev /sample
c-esm-sat c-ecm-sat /irtf-das-service

Also, the first group is the Environment as I highlighted in red above. I am not worried about Environment because if I can have the value 1 and value 2 separated, It can them delimit Environment easily. I hope I explained better this time.

Re: Field extraction needed

yuanliu — Mon, 17 Jul 2023 05:38:17 GMT

Yes it does. See below from Event #3:
imageName="raas/jggmb/graph-analysis"
...
The challenge is not the /,

In other words, you are aware that Splunk doesn't give you multiple values from extracting imageName="raas/jggmb/graph-analysis". Is this correct? To get three values based on that separator "/", you need additional processing such as split.

it is that imageName can be multivalued field as below which I had
mentioned in the very first post sample. The issue is the mv because there is no delimiter between the first and second value of mv as shown below:

namespace imageName
c-esm-sat c-ecm-dev/das-dynamic-filter-services/sample
c-ecm-sat/irtf-das-service

And this needs to be first extracted as below:

namespace imageName
c-esm-sat c-ecm-dev/das-dynamic-filter-services/sample
c-esm-sat c-ecm-sat/irtf-das-service

Here is the problem: You keep insisting that imageName has multiple values such as (c-ecm-dev/das-dynamic-filter-services/sample, c-ecm-sat/irtf-das-service), but you haven't demonstrated a single event that can be extracted as multivalued into (c-ecm-dev/das-dynamic-filter-services/sample, c-ecm-sat/irtf-das-service). @VatsalJagani's first reply already informed that IF field imageName has multiple values, mvexpand will take care of your requirement, i.e.,

| mvexpand imageName

The only difference is that @VatsalJagani followed the original post's incorrect field name.

As far as SPL is concerned, it is impossible for mvexpand to not behave as you desired IF this field has multiple values. But if your so-called multivalued field has to come from separating parts delimited by "/", you can add a split, followed by mvexpand.

| eval imageName = split(imageName, "/") | mvexpand imageName

However, if you continue to see events in which imageName has multiple values without performing additional commands such as split, AND that mvexpand does not give you multiple events corresponding to each of those values, you must first demonstrate at least ONE such event. Otherwise this is a waste of volunteers' time.

Re: Field extraction needed

mbasharat — Mon, 17 Jul 2023 17:08:56 GMT

Hi yuanliu,

I did try that. See my notes in parenthesis. I will try to explain again.

namespace imageName
c-esm-sat c-ecm-dev/das-dynamic-filter-services/sample
(there is no space nor any delimiter between the 1st value at the top and the 2nd one below)
c-ecm-sat/irtf-das-service

Final results need to be:

namespace Environment imageName
c-esm-sat      c-ecm-dev   /das-dynamic-filter-services
c-esm-sat      c-ecm-dev   /sample
c-esm-sat   c-ecm-sat /irtf-das-service

Re: Field extraction needed

yuanliu — Thu, 20 Jul 2023 08:13:06 GMT

Perhaps I didn't explain my (and all these volunteers') difficulty with your explanation clearly enough. It has been clear early on that one or more of your events can have field values like the following.

namespace	imageName
c-esm-sat	c-ecm-dev/das-dynamic-filter-services/sample (1) c-ecm-sat/irtf-das-service (2)

(I'm using parenthesized numerals to indicate two different values.)

The problem is, you have never demonstrated a raw event has properties like that for which @VatsalJagani's mvexpand should not give you desired result, if you correct for the field name that was mistaken in your original description. After field name correction,

| mvexpand imageName

You also have not demonstrated the output of this command IF your events truly have multivalued imageName. Please note: the phrase "did not work" conveys little useful information and should be avoided in the best of scenarios, much less to volunteers with no intimate knowledge about your dataset.

In addition, just because Splunk's stats table displays a field like

c-ecm-dev/das-dynamic-filter-services/sample
c-ecm-sat/irtf-das-service

i.e., newline-delimited strings, the field is not necessarily multivalued. This is why everyone here insists that you demonstrate raw events with such characteristics. The events you have illustrated so far are made of text key-value pairs. It is not even possible for Splunk to give you any multivalued field with such constructs. (Unless you have some sort of secondary extraction somewhere else that is unbeknown to volunteers here. If you do, you must also explain those.)

Have you considered the possibility that imageName could be single valued multiline texts? Maybe you can try

| eval imageName = split(imageName, " ") | mvexpand imageName

Re: Field extraction needed

ITWhisperer — Thu, 20 Jul 2023 17:33:55 GMT

Well said!

Perhaps it is my age, but I find that my capacity for tolerance has diminished over time - I only have a certain amount of time to give (voluntarily) to answering Splunkers' questions, and those Splunkers who provide sufficient information are those who are most easy to aid. I applaud those in the community with sufficient capacity to continue with attempts to assist those in need! 😵🤓😎

Re: How do I search field extraction for table?

JohnEGones — Thu, 20 Jul 2023 11:47:01 GMT

This was an interesting and valuable discussion. Thanks.

I do genuinely appreciate volunteers and the willingness of people to give their time and experience/expertise to help, and if there is genuine interest in an exchange--versus simply trying to off-load doing work onto other people.

I hope in all of my interactions here I am helped, can help, and can be taught.

Cheers.

Re: Field extraction needed

mbasharat — Thu, 20 Jul 2023 16:16:45 GMT

Hi @yuanliu

This was it! It worked per your solution. Thank you!!!😊

Re: Field extraction needed

mbasharat — Thu, 20 Jul 2023 16:20:56 GMT

Hi @ITWhisperer

Patience is a virtue and tolerance is the by product of it including many other things. Specially when the trunk has a sticker "Student driver"! 😁 Btw, I did explain everything well, however @yuanliu added a little more clarity with mentioning (1) and (2).

Appreciate ya' all as always!!! Don't lose patience 😋😜