topic Re: How to write the regex to extract these 2 fields from this result? in Splunk Search

How to write the regex to extract these 2 fields from this result?

kranthi851 — Mon, 06 Jun 2016 17:03:17 GMT

Hi all,

How to extract the fields UDP_PORT and TCP_PORT from this result?

FIXED_SEVERITY_3=10, FIXED_SEVERITY_2=14, CONFIRMED_SEVERITY_2=13, CONFIRMED_SEVERITY_3=9, CONFIRMED_SEVERITY_1=3, ACTIVE_SEVERITY_3=2, CONFIRMED_SEVERITY_4=1, ACTIVE_SEVERITY_1=1, SCAN_DURATION=1647, UDP_PORT=123, UDP_PORT=514, TCP_PORT=22, TCP_PORT=514, TCP_PORT=5520, TCP_PORT=8000, TOTAL_VULNS=46

Re: How to write the regex to extract these 2 fields from this result?

sundareshr — Mon, 06 Jun 2016 17:17:28 GMT

Like this

... | rex max_match=0 "UDP+PORT=(?<udp>\d+)" | rex max_match=0 "TCP_PORT=(?<tcp>\d+)" | eval z=mvzip(udp, tcp) | mvexpand z | table udp tcp

Re: How to write the regex to extract these 2 fields from this result?

richgalloway — Mon, 06 Jun 2016 17:21:42 GMT

One of these should do.

... | rex max_match=0 "UDP_PORT=(?<UPD_PORT>\d+)|TCP_PORT=(?<TCP_PORT>\d+)" | ...

... | extract mv_add=true kvdelim='=' pairdelim=',' | ...

Both will produce multi-value fields for each type of port, which you can then process using the mv* commands.