Convert CSV valued JSON field to multivalued field...

wstrellis · ‎01-22-2021

I have events that are being ingested in JSON format. Two of the fields are comma separated lists of MAC and IPv4 addresses. I would like to convert those fields to multivalue fields at index time.

Example input event:

{"foo": "bar", "host_ip": "122.33.44.120,85.30.248.114,64.4.28.230", "baz": "biz", "mac": "11:22:33:44:55:66,AA:BB:CC:DD:EE:FF,A1:A2:A3:A4:A5:A6", "oof": "rab"}

Example SPL query:

index="foo" sourcetype=mymultivaluesourcetype | table mac

Desired Output:

mac

11:22:33:44:55:66

AA:BB:CC:DD:EE:FF

A1:A2:A3:A4:A5:A6

Actual Output:

mac

11:22:33:44:55:66,AA:BB:CC:DD:EE:FF,A1:A2:A3:A4:A5:A6

props.conf:

[mymultivaluesourcetype]

REPORT-mv_host_ip = mvhostip

REPORT-mv_mac = mvmac

transforms.conf:

[mvhostip]
SOURCE_KEY = field:host_ip
REGEX = (?<host_ip>\d+\.\d+\.\d+\.\d+)
FORMAT = host_ip::$1
MV_ADD = true
REPEAT_MATCH = true

[mvmac]
SOURCE_KEY = field:mac
REGEX = (?<mac>\w+\:\w+\:\w+\:\w+\:\w+\w+\:\w+)
FORMAT = mac::$1
MV_ADD = true
REPEAT_MATCH = true

wstrellis · ‎01-22-2021

My SPL query should actually be:

index="foo" sourcetype=mymultivaluesourcetype | mvexpand mac | table mac

Convert CSV valued JSON field to multivalued field at index time

CSV

JSON

props.conf

transforms.conf

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Join the Conversation