All Apps and Add-ons
Highlighted

How to configure props.conf and transforms.conf for multivalue field extraction and strip whitespaces for Juniper SSLVPN logs?

Path Finder

I need to extract multivalues from a field with the following value format: role1, role2, some role3
The problem is that there are spaces after the commas.
I was able to do it successfully using the following search: | rex mode=sed field=role "s/, /,/g" | makemv delim="," role
How can I implement it on the configuration?

0 Karma
Highlighted

Re: How to configure props.conf and transforms.conf for multivalue field extraction and strip whitespaces for Juniper SSLVPN logs?

SplunkTrust
SplunkTrust

Just use makemv delim=", ":

| stats count | eval field = "a, b, c" | makemv field delim=", "

View solution in original post

Highlighted

Re: How to configure props.conf and transforms.conf for multivalue field extraction and strip whitespaces for Juniper SSLVPN logs?

Path Finder

Thanks. Tha'ts a good idea. but now how do I implement it in the configuration?

0 Karma
Highlighted

Re: How to configure props.conf and transforms.conf for multivalue field extraction and strip whitespaces for Juniper SSLVPN logs?

SplunkTrust
SplunkTrust

Ah, not in the search... What's the event around the roles / the regex to extract the role field?

0 Karma
Highlighted

Re: How to configure props.conf and transforms.conf for multivalue field extraction and strip whitespaces for Juniper SSLVPN logs?

Path Finder
transforms.conf
[junipersa-role-info]
REGEX = Juniper\:\s[^\s]+\s[^\s]+\s-\sive\s-\s\[\d+.\d+.\d+.\d+\]\s[^\(\)\s]+\([\s\d\w]+\)\[([\s\d\w\,]+)\]\s-
FORMAT = role::$1

fields.conf
[role]
TOKENIZER = (\w[^\,]*)
0 Karma
Highlighted

Re: How to configure props.conf and transforms.conf for multivalue field extraction and strip whitespaces for Juniper SSLVPN logs?

SplunkTrust
SplunkTrust

Okay, so I assume this is in your props.conf:

[your_sourcetype]
...
REPORT-foo = junipersa-role-info

If so, append a second item like so:

REPORT-foo = junipersa-role-info,juniper-mvroles

And add that stanza to transforms.conf:

[juniper-mvroles]
REGEX = (?<rolemv>[^\s,]+)(?:[\s,]*)
SOURCE_KEY = role
MV_ADD = true

That'll extract the multivalues from the previous extracted field, no fields.conf entry necessary.

Highlighted

Re: How to configure props.conf and transforms.conf for multivalue field extraction and strip whitespaces for Juniper SSLVPN logs?

Path Finder

It works! (although I don't fully understand the REGEX syntax - what is the second match group for). And last thing, I prefer to get the result in the role field and not a new field. I will try to do it unless you have a quick solution.

0 Karma
Highlighted

Re: How to configure props.conf and transforms.conf for multivalue field extraction and strip whitespaces for Juniper SSLVPN logs?

SplunkTrust
SplunkTrust

You can change the FORMAT of the old role field to a different name, set the SOURCE_KEY of the new extraction to that and the named capturing group to role. You can't have both as role because then the individual values would get added to the three-roles-string.

As for the regex, the second non-capturing group is for "eating up" the comma and space between the individual values. Might actually not be necessary.

Highlighted

Re: How to configure props.conf and transforms.conf for multivalue field extraction and strip whitespaces for Juniper SSLVPN logs?

Path Finder

Here is my final configuration as suggested:

[junipersa-role-info]
REGEX = Juniper\:\s[^\s]+\s[^\s]+\s-\sive\s-\s\[\d+.\d+.\d+.\d+\]\s[^\(\)\s]+\([\s\d\w]+\)\[([^\]]+)
FORMAT = roles_string::$1

[junipersa-roles-mv]
SOURCE_KEY = roles_string
MV_ADD = true
REGEX = (?<role>[^\s,]+)

Seems to work fine, though I need some further QA 🙂
Thanks for the great and prompt help!