topic Re: How to create a field extraction for a field that contains multiple values? in Splunk Search

How to create a field extraction for a field that contains multiple values?

mohammed7860 — Tue, 29 Sep 2020 12:00:44 GMT

I have the following event record. I need to create a field extraction on field called openports that is having multiple values highlighted in bold. How do I do this :

2016-12-01T14:34:26.315202-06:00 XXX.xxx.xxx.xxx CounterACT[1762]: admission=New Host; hostname=xxx.xxx.xxx.xxx; ad_displayname=User; banner=Unknown; onsite=Yes; online=Yes; ip=xx.xxx.xx.xx; ad_name=User; latest_ioc_date_sensitivity=Low Severity: #012Medium Severity: #012High Severity: #012Critical Severity: ; atc_scan_details=Scan Start Time: #012Scan Duration (seconds): #012Scan Status: Never scanned#012Scan Errors: ; mac=Unknown; mac_colon=Irresolvable; mac_dash=Irresolvable; group=Windows; nic_vendor=Irresolvable; nic_vendor_string=Irresolvable; netfunction=Windows Machine; openports=22/TCP, 135/TCP, 21/TCP, 80/TCP, 137/UDP, 3389/TCP;

Any help will be greatly appreciated

Thanks,

Obaid

Re: How to create a field extraction for a field that contains multiple values?

gokadroid — Thu, 01 Dec 2016 22:00:19 GMT

try if openports is not already extracted:

your query
| rex field=_raw "openports\=(?<openports>[^;]+)"
| rex field=openports max_match=0 "(?<port>[\d]+)\/(?<protocol>[^,\s]+)"
| table values(port)

If it's already extracted then remove the first line | rex field=_raw "openports\=(?<openports>[^;]+)" and if depending on the last character if your earlier extraction caught ; as well then add additional exlusion in [^,\s] to make it [^,;\s]

Re: How to create a field extraction for a field that contains multiple values?

mohammed7860 — Fri, 02 Dec 2016 03:57:35 GMT

Thanks gokadroid for you input, could you please help me do an automatic extraction for this field openports