topic Re: Exttract the first value for multivalue field events in Splunk Search

Exttract the first value for multivalue field events

vrmandadi — Tue, 29 Sep 2020 17:43:59 GMT

Hey,

I have a sample event,which is a multivalue field,I want to extract Service ID and Ent_Provider Id from the type="startPlacement" .Since this is a multivalue field there are many type="startPlacement" ,but I want to extract the fields from the first type="startPlacement"

<ns2:Events>
         <ns2:PlacementStatusEvent type="startPlacement" time="2018-01-16T14:16:02.238-05:00" messageRef="eeac4616-7c69-4453-a66e-01e2d8726db7">
            <StatusCode class="0">
               <Note>SUCCEEDED</Note>
            </StatusCode>
            <ns2:Spot>
               <Tracking>sync-ADS}:{**iCTRL Lifestyle**#**foodnetwork.com**@{b}_t_125_1516130158263321007_5a54dba8000a94c6}:{01LC5SUJUJSTa8mReTByrtGQ</Tracking>
               <Content>
                  <AssetRef providerID="abc.com" assetID="DAMV8018010541107392" />
                  <Duration>PT30.000S</Duration>
                  <Tracking>tron-ADS}:{iCTRL Lifestyle#foodnetwork.com@{b}_t_125_1516130158263321007_5a54dba8000a94c6}:{01Uat1fEFCQKaxZmV1Cx72ig</Tracking>
               </Content>
               <ns2:SpotNPT scale="1">0.0</ns2:SpotNPT>
            </ns2:Spot>
         </ns2:PlacementStatusEvent>

Service_ID=iCTRL Lifestyle
Ent_Provider Id=foodnetwork.com

Re: Exttract the first value for multivalue field events

horsefez — Tue, 16 Jan 2018 22:11:44 GMT

Hi,

how about using the following splunk command:

| rex max_match=1 field=<nameofyourmultivaluefield> "\<Tracking\>[^{]+\{(?<Service_ID>[^#]+)\#(?<Ent_Provider>[^@]+)"

P.S. max_match is by default set to 1, so that wouldn't be needed and is only here for better illustration

Re: Exttract the first value for multivalue field events

vrmandadi — Wed, 17 Jan 2018 01:10:20 GMT

Thank you for your response,how can I extract these fields into interesting fields like IFX,so that i dont need to use rex everytime

Re: Exttract the first value for multivalue field events

mayurr98 — Wed, 17 Jan 2018 07:58:04 GMT

hey @vrmandadi

try this

index=<your_index> | rex field=_raw "<Tracking>sync-ADS}:{\*\*(?<Service_ID>[^\*]+)\*\*#\*\*(?<Ent_Provider_Id>[^\*]+)"

Now if you do not want to use this regex in search query and you want to extract this fields directly then do this
step1 :go to Fields » Field extractions » Add new
step2 : fill in the details Name: Service_and_provider_ID

apply to sourcetype: <put_your_sourcetype_on_which_you_want_toapply_this_regex>
Extraction/Transform : <Tracking>sync-ADS}:{\*\*(?<Service_ID>[^\*]+)\*\*#\*\*(?<Ent_Provider_Id>[^\*]+)
step3 : save

Then see extracted fields by entering index=<your_index> on your search bar

let me know if this helps !

Re: Exttract the first value for multivalue field events

vrmandadi — Wed, 17 Jan 2018 13:36:06 GMT

Hello @mayurr98

Thanks for the reply,I tried your rex in search ,I did not see the fields extracted.

Re: Exttract the first value for multivalue field events

mayurr98 — Wed, 17 Jan 2018 13:40:09 GMT

hey sorry you need to escape special characters as well
try this instead

index=<your_index> | rex field=_raw "\<Tracking\>sync\-ADS\}\:\{\*\*(?<Service_ID>[^\*]+)\*\*\#\*\*(?<Ent_Provider_Id>[^\*]+)"

let me know if this helps !

Re: Exttract the first value for multivalue field events

horsefez — Mon, 22 Jan 2018 14:43:41 GMT

Hi vrmandadi,
sadly I don't know what you mean by "IFX" or "interesting fields". Could you give me an example for that?