All Apps and Add-ons

How to configure props.conf and transforms.conf for multivalue field extraction and strip whitespaces for Juniper SSLVPN logs?

yuvalba
Path Finder

I need to extract multivalues from a field with the following value format: role1, role2, some role3
The problem is that there are spaces after the commas.
I was able to do it successfully using the following search: | rex mode=sed field=role "s/, /,/g" | makemv delim="," role
How can I implement it on the configuration?

0 Karma
1 Solution

martin_mueller
SplunkTrust
SplunkTrust

Just use makemv delim=", ":

| stats count | eval field = "a, b, c" | makemv field delim=", "

View solution in original post

martin_mueller
SplunkTrust
SplunkTrust

Just use makemv delim=", ":

| stats count | eval field = "a, b, c" | makemv field delim=", "

martin_mueller
SplunkTrust
SplunkTrust

You can change the FORMAT of the old role field to a different name, set the SOURCE_KEY of the new extraction to that and the named capturing group to role. You can't have both as role because then the individual values would get added to the three-roles-string.

As for the regex, the second non-capturing group is for "eating up" the comma and space between the individual values. Might actually not be necessary.

yuvalba
Path Finder

Here is my final configuration as suggested:

[junipersa-role-info]
REGEX = Juniper\:\s[^\s]+\s[^\s]+\s-\sive\s-\s\[\d+.\d+.\d+.\d+\]\s[^\(\)\s]+\([\s\d\w]+\)\[([^\]]+)
FORMAT = roles_string::$1

[junipersa-roles-mv]
SOURCE_KEY = roles_string
MV_ADD = true
REGEX = (?<role>[^\s,]+)

Seems to work fine, though I need some further QA 🙂
Thanks for the great and prompt help!

martin_mueller
SplunkTrust
SplunkTrust

Okay, so I assume this is in your props.conf:

[your_sourcetype]
...
REPORT-foo = junipersa-role-info

If so, append a second item like so:

REPORT-foo = junipersa-role-info,juniper-mvroles

And add that stanza to transforms.conf:

[juniper-mvroles]
REGEX = (?<rolemv>[^\s,]+)(?:[\s,]*)
SOURCE_KEY = role
MV_ADD = true

That'll extract the multivalues from the previous extracted field, no fields.conf entry necessary.

yuvalba
Path Finder

It works! (although I don't fully understand the REGEX syntax - what is the second match group for). And last thing, I prefer to get the result in the role field and not a new field. I will try to do it unless you have a quick solution.

0 Karma

yuvalba
Path Finder
transforms.conf
[junipersa-role-info]
REGEX = Juniper\:\s[^\s]+\s[^\s]+\s-\sive\s-\s\[\d+.\d+.\d+.\d+\]\s[^\(\)\s]+\([\s\d\w]+\)\[([\s\d\w\,]+)\]\s-
FORMAT = role::$1

fields.conf
[role]
TOKENIZER = (\w[^\,]*)
0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Ah, not in the search... What's the event around the roles / the regex to extract the role field?

0 Karma

yuvalba
Path Finder

Thanks. Tha'ts a good idea. but now how do I implement it in the configuration?

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...