I need to extract multivalues from a field with the following value format:
role1, role2, some role3
The problem is that there are spaces after the commas.
I was able to do it successfully using the following search:
| rex mode=sed field=role "s/, /,/g" | makemv delim="," role
How can I implement it on the configuration?
makemv delim=", ":
| stats count | eval field = "a, b, c" | makemv field delim=", "
Thanks. Tha'ts a good idea. but now how do I implement it in the configuration?
Ah, not in the search... What's the event around the roles / the regex to extract the
transforms.conf [junipersa-role-info] REGEX = Juniper\:\s[^\s]+\s[^\s]+\s-\sive\s-\s\[\d+.\d+.\d+.\d+\]\s[^\(\)\s]+\([\s\d\w]+\)\[([\s\d\w\,]+)\]\s- FORMAT = role::$1 fields.conf [role] TOKENIZER = (\w[^\,]*)
Okay, so I assume this is in your props.conf:
[your_sourcetype] ... REPORT-foo = junipersa-role-info
If so, append a second item like so:
REPORT-foo = junipersa-role-info,juniper-mvroles
And add that stanza to transforms.conf:
[juniper-mvroles] REGEX = (?<rolemv>[^\s,]+)(?:[\s,]*) SOURCE_KEY = role MV_ADD = true
That'll extract the multivalues from the previous extracted field, no fields.conf entry necessary.
It works! (although I don't fully understand the REGEX syntax - what is the second match group for). And last thing, I prefer to get the result in the role field and not a new field. I will try to do it unless you have a quick solution.
You can change the
FORMAT of the old
role field to a different name, set the
SOURCE_KEY of the new extraction to that and the named capturing group to
role. You can't have both as
role because then the individual values would get added to the three-roles-string.
As for the regex, the second non-capturing group is for "eating up" the comma and space between the individual values. Might actually not be necessary.
Here is my final configuration as suggested:
[junipersa-role-info] REGEX = Juniper\:\s[^\s]+\s[^\s]+\s-\sive\s-\s\[\d+.\d+.\d+.\d+\]\s[^\(\)\s]+\([\s\d\w]+\)\[([^\]]+) FORMAT = roles_string::$1 [junipersa-roles-mv] SOURCE_KEY = roles_string MV_ADD = true REGEX = (?<role>[^\s,]+)
Seems to work fine, though I need some further QA 🙂
Thanks for the great and prompt help!