All Apps and Add-ons

How to configure props.conf and transforms.conf for multivalue field extraction and strip whitespaces for Juniper SSLVPN logs?

yuvalba
Path Finder

I need to extract multivalues from a field with the following value format: role1, role2, some role3
The problem is that there are spaces after the commas.
I was able to do it successfully using the following search: | rex mode=sed field=role "s/, /,/g" | makemv delim="," role
How can I implement it on the configuration?

0 Karma
1 Solution

martin_mueller
SplunkTrust
SplunkTrust

Just use makemv delim=", ":

| stats count | eval field = "a, b, c" | makemv field delim=", "

View solution in original post

martin_mueller
SplunkTrust
SplunkTrust

Just use makemv delim=", ":

| stats count | eval field = "a, b, c" | makemv field delim=", "

martin_mueller
SplunkTrust
SplunkTrust

You can change the FORMAT of the old role field to a different name, set the SOURCE_KEY of the new extraction to that and the named capturing group to role. You can't have both as role because then the individual values would get added to the three-roles-string.

As for the regex, the second non-capturing group is for "eating up" the comma and space between the individual values. Might actually not be necessary.

yuvalba
Path Finder

Here is my final configuration as suggested:

[junipersa-role-info]
REGEX = Juniper\:\s[^\s]+\s[^\s]+\s-\sive\s-\s\[\d+.\d+.\d+.\d+\]\s[^\(\)\s]+\([\s\d\w]+\)\[([^\]]+)
FORMAT = roles_string::$1

[junipersa-roles-mv]
SOURCE_KEY = roles_string
MV_ADD = true
REGEX = (?<role>[^\s,]+)

Seems to work fine, though I need some further QA 🙂
Thanks for the great and prompt help!

martin_mueller
SplunkTrust
SplunkTrust

Okay, so I assume this is in your props.conf:

[your_sourcetype]
...
REPORT-foo = junipersa-role-info

If so, append a second item like so:

REPORT-foo = junipersa-role-info,juniper-mvroles

And add that stanza to transforms.conf:

[juniper-mvroles]
REGEX = (?<rolemv>[^\s,]+)(?:[\s,]*)
SOURCE_KEY = role
MV_ADD = true

That'll extract the multivalues from the previous extracted field, no fields.conf entry necessary.

yuvalba
Path Finder

It works! (although I don't fully understand the REGEX syntax - what is the second match group for). And last thing, I prefer to get the result in the role field and not a new field. I will try to do it unless you have a quick solution.

0 Karma

yuvalba
Path Finder
transforms.conf
[junipersa-role-info]
REGEX = Juniper\:\s[^\s]+\s[^\s]+\s-\sive\s-\s\[\d+.\d+.\d+.\d+\]\s[^\(\)\s]+\([\s\d\w]+\)\[([\s\d\w\,]+)\]\s-
FORMAT = role::$1

fields.conf
[role]
TOKENIZER = (\w[^\,]*)
0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Ah, not in the search... What's the event around the roles / the regex to extract the role field?

0 Karma

yuvalba
Path Finder

Thanks. Tha'ts a good idea. but now how do I implement it in the configuration?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...