Solved: How can I extract multiple fields?

jacknguyen · ‎04-04-2023

I have a log event and I want to extract like this:

I want to show it line the red line. How ever it just recive the first line in event. how to show all the blue line?

Thank you for your help.

yeahnah · ‎04-04-2023

Thanks, that helps a lot.

It's an interesting data set, multi-line with different CSV headers in the one event.

The following is a method that should meet your use case

... your search ...
| rex field=_raw "^(?:.+?[\n\r]){2}HEADER,(?<_raw>(.+[\n\r])+)HEADER"
| multikv forceheader=1
| table Common_Name Virtual_Address Connected_Since

It pulls out (rex) the CSV section you're interested in and then uses the multikv command to extract the data as single line events.

You can rename the output fields if you like too.

Here's my run anywhere search I used to test the above.

| makeresults
| eval event="TITLE,OpenVPN 2.4.11 x86_64-redhat-linux-gnu [Fedora EPEL patched] [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 21 2021
TIME,Tue Apr  4 15:57:03 2023,1680598623
HEADER,CLIENT_LIST,Common Name,Real Address,Virtual Address,Virtual IPv6 Address,Bytes Received,Bytes Sent,Connected Since,Connected Since (time_t),Username,Client ID,Peer ID
CLIENT_LIST,louis_tran,116.100.47.155:1044,10.10.0.20,,13285791,65784195,Tue Apr  4 09:21:41 2023,1680574901,louis_tran,181,1
CLIENT_LIST,wanki_trinh,116.100.47.155:1194,10.10.0.21,,13753119,165936845,Tue Apr  4 09:15:02 2023,1680574502,wanki_trinh,180,0
CLIENT_LIST,william_nguyen,116.100.47.155:1107,10.10.0.46,,2458734,17228162,Tue Apr  4 13:53:19 2023,1680591199,william_nguyen,186,4
CLIENT_LIST,kane_vu,116.100.47.155:1106,10.10.0.35,,8842662,20247670,Tue Apr  4 13:44:11 2023,1680590651,kane_vu,185,3
CLIENT_LIST,peter_nguyen,116.100.47.155:1118,10.10.0.12,,14031959,28603186,Tue Apr  4 15:16:46 2023,1680596206,peter_nguyen,190,5
CLIENT_LIST,jack_nguyen,116.100.47.155:1049,10.10.0.25,,31338513,125792327,Tue Apr  4 09:32:59 2023,1680575579,jack_nguyen,182,2
HEADER,ROUTING_TABLE,Virtual Address,Common Name,Real Address,Last Ref,Last Ref (time_t)
ROUTING_TABLE,10.10.0.25,jack_nguyen,116.100.47.155:1049,Tue Apr  4 15:57:01 2023,1680598621
ROUTING_TABLE,10.10.0.21,wanki_trinh,116.100.47.155:1194,Tue Apr  4 15:56:44 2023,1680598604
ROUTING_TABLE,10.10.0.35,kane_vu,116.100.47.155:1106,Tue Apr  4 15:57:02 2023,1680598622
ROUTING_TABLE,10.10.0.20,louis_tran,116.100.47.155:1044,Tue Apr  4 15:56:59 2023,1680598619
ROUTING_TABLE,10.10.0.46,william_nguyen,116.100.47.155:1107,Tue Apr  4 15:57:02 2023,1680598622
ROUTING_TABLE,10.10.0.12,peter_nguyen,116.100.47.155:1118,Tue Apr  4 15:57:01 2023,1680598621
GLOBAL_STATS,Max bcast/mcast queue length,6
END"
  ``` above just creates the dummy events ```
| rex field=event "^(?:.+?[\n\r]){2}HEADER,(?<_raw>(.+[\n\r])+)HEADER"
| multikv forceheader=1
| table Common_Name Virtual_Address Connected_Since

Hope this helps

View solution in original post

yeahnah · ‎04-04-2023

Hi @jacknguyen

It is easier to help if you copy and paste the whole event as text - place inside a preformatted style, or code sample </> helps too.

Screen shots like this, with big multi-line events make it far harder to help and get some SPL code working.

jacknguyen · ‎04-04-2023

this is event:

</>TITLE,OpenVPN 2.4.11 x86_64-redhat-linux-gnu [Fedora EPEL patched] [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 21 2021 TIME,Wed Apr 5 08:58:23 2023,1680659903 HEADER,CLIENT_LIST,Common Name,Real Address,Virtual Address,Virtual IPv6 Address,Bytes Received,Bytes Sent,Connected Since,Connected Since (time_t),Username,Client ID,Peer ID CLIENT_LIST,jack_nguyen,116.100.47.155:1130,10.10.0.25,,2293690,17795968,Wed Apr 5 08:38:22 2023,1680658702,jack_nguyen,201,2 CLIENT_LIST,kane_vu,116.100.47.155:1135,10.10.0.35,,807236,269755,Wed Apr 5 08:50:46 2023,1680659446,kane_vu,202,3 CLIENT_LIST,wanki_trinh,116.100.47.155:1194,10.10.0.21,,891114,9413845,Wed Apr 5 08:34:28 2023,1680658468,wanki_trinh,200,1 CLIENT_LIST,torin_huynh,116.110.42.16:62901,10.10.0.32,,2798473,5631112,Wed Apr 5 08:26:47 2023,1680658007,torin_huynh,199,0 CLIENT_LIST,william_vo,116.100.47.155:1138,10.10.0.22,,621296,10725869,Wed Apr 5 08:55:22 2023,1680659722,william_vo,203,4 HEADER,ROUTING_TABLE,Virtual Address,Common Name,Real Address,Last Ref,Last Ref (time_t) ROUTING_TABLE,10.10.0.22,william_vo,116.100.47.155:1138,Wed Apr 5 08:58:22 2023,1680659902 ROUTING_TABLE,10.10.0.25,jack_nguyen,116.100.47.155:1130,Wed Apr 5 08:58:22 2023,1680659902 ROUTING_TABLE,10.10.0.21,wanki_trinh,116.100.47.155:1194,Wed Apr 5 08:58:17 2023,1680659897 ROUTING_TABLE,10.10.0.35,kane_vu,116.100.47.155:1135,Wed Apr 5 08:58:22 2023,1680659902 ROUTING_TABLE,10.10.0.32,torin_huynh,116.110.42.16:62901,Wed Apr 5 08:58:22 2023,1680659902 GLOBAL_STATS,Max bcast/mcast queue length,6 END<\>

yeahnah · ‎04-04-2023

Sorry, I could have been clearer, the </> is an icon in the editor where you can add content so that the output does not get modified.

Please try adding again

jacknguyen · ‎04-04-2023

TITLE,OpenVPN 2.4.11 x86_64-redhat-linux-gnu [Fedora EPEL patched] [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 21 2021
TIME,Tue Apr  4 15:57:03 2023,1680598623
HEADER,CLIENT_LIST,Common Name,Real Address,Virtual Address,Virtual IPv6 Address,Bytes Received,Bytes Sent,Connected Since,Connected Since (time_t),Username,Client ID,Peer ID
CLIENT_LIST,louis_tran,116.100.47.155:1044,10.10.0.20,,13285791,65784195,Tue Apr  4 09:21:41 2023,1680574901,louis_tran,181,1
CLIENT_LIST,wanki_trinh,116.100.47.155:1194,10.10.0.21,,13753119,165936845,Tue Apr  4 09:15:02 2023,1680574502,wanki_trinh,180,0
CLIENT_LIST,william_nguyen,116.100.47.155:1107,10.10.0.46,,2458734,17228162,Tue Apr  4 13:53:19 2023,1680591199,william_nguyen,186,4
CLIENT_LIST,kane_vu,116.100.47.155:1106,10.10.0.35,,8842662,20247670,Tue Apr  4 13:44:11 2023,1680590651,kane_vu,185,3
CLIENT_LIST,peter_nguyen,116.100.47.155:1118,10.10.0.12,,14031959,28603186,Tue Apr  4 15:16:46 2023,1680596206,peter_nguyen,190,5
CLIENT_LIST,jack_nguyen,116.100.47.155:1049,10.10.0.25,,31338513,125792327,Tue Apr  4 09:32:59 2023,1680575579,jack_nguyen,182,2
HEADER,ROUTING_TABLE,Virtual Address,Common Name,Real Address,Last Ref,Last Ref (time_t)
ROUTING_TABLE,10.10.0.25,jack_nguyen,116.100.47.155:1049,Tue Apr  4 15:57:01 2023,1680598621
ROUTING_TABLE,10.10.0.21,wanki_trinh,116.100.47.155:1194,Tue Apr  4 15:56:44 2023,1680598604
ROUTING_TABLE,10.10.0.35,kane_vu,116.100.47.155:1106,Tue Apr  4 15:57:02 2023,1680598622
ROUTING_TABLE,10.10.0.20,louis_tran,116.100.47.155:1044,Tue Apr  4 15:56:59 2023,1680598619
ROUTING_TABLE,10.10.0.46,william_nguyen,116.100.47.155:1107,Tue Apr  4 15:57:02 2023,1680598622
ROUTING_TABLE,10.10.0.12,peter_nguyen,116.100.47.155:1118,Tue Apr  4 15:57:01 2023,1680598621
GLOBAL_STATS,Max bcast/mcast queue length,6
END

oh sorry my fault. there is

yeahnah · ‎04-04-2023

Thanks, that helps a lot.

It's an interesting data set, multi-line with different CSV headers in the one event.

The following is a method that should meet your use case

... your search ...
| rex field=_raw "^(?:.+?[\n\r]){2}HEADER,(?<_raw>(.+[\n\r])+)HEADER"
| multikv forceheader=1
| table Common_Name Virtual_Address Connected_Since

It pulls out (rex) the CSV section you're interested in and then uses the multikv command to extract the data as single line events.

You can rename the output fields if you like too.

Here's my run anywhere search I used to test the above.

| makeresults
| eval event="TITLE,OpenVPN 2.4.11 x86_64-redhat-linux-gnu [Fedora EPEL patched] [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 21 2021
TIME,Tue Apr  4 15:57:03 2023,1680598623
HEADER,CLIENT_LIST,Common Name,Real Address,Virtual Address,Virtual IPv6 Address,Bytes Received,Bytes Sent,Connected Since,Connected Since (time_t),Username,Client ID,Peer ID
CLIENT_LIST,louis_tran,116.100.47.155:1044,10.10.0.20,,13285791,65784195,Tue Apr  4 09:21:41 2023,1680574901,louis_tran,181,1
CLIENT_LIST,wanki_trinh,116.100.47.155:1194,10.10.0.21,,13753119,165936845,Tue Apr  4 09:15:02 2023,1680574502,wanki_trinh,180,0
CLIENT_LIST,william_nguyen,116.100.47.155:1107,10.10.0.46,,2458734,17228162,Tue Apr  4 13:53:19 2023,1680591199,william_nguyen,186,4
CLIENT_LIST,kane_vu,116.100.47.155:1106,10.10.0.35,,8842662,20247670,Tue Apr  4 13:44:11 2023,1680590651,kane_vu,185,3
CLIENT_LIST,peter_nguyen,116.100.47.155:1118,10.10.0.12,,14031959,28603186,Tue Apr  4 15:16:46 2023,1680596206,peter_nguyen,190,5
CLIENT_LIST,jack_nguyen,116.100.47.155:1049,10.10.0.25,,31338513,125792327,Tue Apr  4 09:32:59 2023,1680575579,jack_nguyen,182,2
HEADER,ROUTING_TABLE,Virtual Address,Common Name,Real Address,Last Ref,Last Ref (time_t)
ROUTING_TABLE,10.10.0.25,jack_nguyen,116.100.47.155:1049,Tue Apr  4 15:57:01 2023,1680598621
ROUTING_TABLE,10.10.0.21,wanki_trinh,116.100.47.155:1194,Tue Apr  4 15:56:44 2023,1680598604
ROUTING_TABLE,10.10.0.35,kane_vu,116.100.47.155:1106,Tue Apr  4 15:57:02 2023,1680598622
ROUTING_TABLE,10.10.0.20,louis_tran,116.100.47.155:1044,Tue Apr  4 15:56:59 2023,1680598619
ROUTING_TABLE,10.10.0.46,william_nguyen,116.100.47.155:1107,Tue Apr  4 15:57:02 2023,1680598622
ROUTING_TABLE,10.10.0.12,peter_nguyen,116.100.47.155:1118,Tue Apr  4 15:57:01 2023,1680598621
GLOBAL_STATS,Max bcast/mcast queue length,6
END"
  ``` above just creates the dummy events ```
| rex field=event "^(?:.+?[\n\r]){2}HEADER,(?<_raw>(.+[\n\r])+)HEADER"
| multikv forceheader=1
| table Common_Name Virtual_Address Connected_Since

Hope this helps

jacknguyen · ‎04-10-2023

thank you for your help. its work

How can I extract multiple fields?

field extraction

Monitoring MariaDB and MySQL

Financial Services Industry Use Cases, ITSI Best Practices, and More New Articles ...

Splunk Federated Analytics for Amazon Security Lake