I need to extract multivalues from a field with the following value format: role1, role2, some role3
The problem is that there are spaces after the commas.
I was able to do it successfully using the following search: | rex mode=sed field=role "s/, /,/g" | makemv delim="," role
How can I implement it on the configuration?
Just use makemv delim=", "
:
| stats count | eval field = "a, b, c" | makemv field delim=", "
Just use makemv delim=", "
:
| stats count | eval field = "a, b, c" | makemv field delim=", "
You can change the FORMAT
of the old role
field to a different name, set the SOURCE_KEY
of the new extraction to that and the named capturing group to role
. You can't have both as role
because then the individual values would get added to the three-roles-string.
As for the regex, the second non-capturing group is for "eating up" the comma and space between the individual values. Might actually not be necessary.
Here is my final configuration as suggested:
[junipersa-role-info]
REGEX = Juniper\:\s[^\s]+\s[^\s]+\s-\sive\s-\s\[\d+.\d+.\d+.\d+\]\s[^\(\)\s]+\([\s\d\w]+\)\[([^\]]+)
FORMAT = roles_string::$1
[junipersa-roles-mv]
SOURCE_KEY = roles_string
MV_ADD = true
REGEX = (?<role>[^\s,]+)
Seems to work fine, though I need some further QA 🙂
Thanks for the great and prompt help!
Okay, so I assume this is in your props.conf:
[your_sourcetype]
...
REPORT-foo = junipersa-role-info
If so, append a second item like so:
REPORT-foo = junipersa-role-info,juniper-mvroles
And add that stanza to transforms.conf:
[juniper-mvroles]
REGEX = (?<rolemv>[^\s,]+)(?:[\s,]*)
SOURCE_KEY = role
MV_ADD = true
That'll extract the multivalues from the previous extracted field, no fields.conf entry necessary.
It works! (although I don't fully understand the REGEX syntax - what is the second match group for). And last thing, I prefer to get the result in the role field and not a new field. I will try to do it unless you have a quick solution.
transforms.conf
[junipersa-role-info]
REGEX = Juniper\:\s[^\s]+\s[^\s]+\s-\sive\s-\s\[\d+.\d+.\d+.\d+\]\s[^\(\)\s]+\([\s\d\w]+\)\[([\s\d\w\,]+)\]\s-
FORMAT = role::$1
fields.conf
[role]
TOKENIZER = (\w[^\,]*)
Ah, not in the search... What's the event around the roles / the regex to extract the role
field?
Thanks. Tha'ts a good idea. but now how do I implement it in the configuration?