Getting Data In

How can I extract multiple fields?

jacknguyen
Path Finder

I have a log event and I want to extract like this:

image.png

I want to show it line the red line. How ever it just recive the first line in event. how to show all the blue line?

Thank you for your help.

Labels (1)
0 Karma
1 Solution

yeahnah
Motivator

Thanks, that helps a lot.

It's an interesting data set, multi-line with different CSV headers in the one event.

The following is a method that should meet your use case

 

... your search ...
| rex field=_raw "^(?:.+?[\n\r]){2}HEADER,(?<_raw>(.+[\n\r])+)HEADER"
| multikv forceheader=1
| table Common_Name Virtual_Address Connected_Since

 

It pulls out (rex) the CSV section you're interested in and then uses the multikv command to extract the data as single line events. 

You can rename the output fields if you like too.

Here's my run anywhere search I used to test the above.

 

| makeresults
| eval event="TITLE,OpenVPN 2.4.11 x86_64-redhat-linux-gnu [Fedora EPEL patched] [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 21 2021
TIME,Tue Apr  4 15:57:03 2023,1680598623
HEADER,CLIENT_LIST,Common Name,Real Address,Virtual Address,Virtual IPv6 Address,Bytes Received,Bytes Sent,Connected Since,Connected Since (time_t),Username,Client ID,Peer ID
CLIENT_LIST,louis_tran,116.100.47.155:1044,10.10.0.20,,13285791,65784195,Tue Apr  4 09:21:41 2023,1680574901,louis_tran,181,1
CLIENT_LIST,wanki_trinh,116.100.47.155:1194,10.10.0.21,,13753119,165936845,Tue Apr  4 09:15:02 2023,1680574502,wanki_trinh,180,0
CLIENT_LIST,william_nguyen,116.100.47.155:1107,10.10.0.46,,2458734,17228162,Tue Apr  4 13:53:19 2023,1680591199,william_nguyen,186,4
CLIENT_LIST,kane_vu,116.100.47.155:1106,10.10.0.35,,8842662,20247670,Tue Apr  4 13:44:11 2023,1680590651,kane_vu,185,3
CLIENT_LIST,peter_nguyen,116.100.47.155:1118,10.10.0.12,,14031959,28603186,Tue Apr  4 15:16:46 2023,1680596206,peter_nguyen,190,5
CLIENT_LIST,jack_nguyen,116.100.47.155:1049,10.10.0.25,,31338513,125792327,Tue Apr  4 09:32:59 2023,1680575579,jack_nguyen,182,2
HEADER,ROUTING_TABLE,Virtual Address,Common Name,Real Address,Last Ref,Last Ref (time_t)
ROUTING_TABLE,10.10.0.25,jack_nguyen,116.100.47.155:1049,Tue Apr  4 15:57:01 2023,1680598621
ROUTING_TABLE,10.10.0.21,wanki_trinh,116.100.47.155:1194,Tue Apr  4 15:56:44 2023,1680598604
ROUTING_TABLE,10.10.0.35,kane_vu,116.100.47.155:1106,Tue Apr  4 15:57:02 2023,1680598622
ROUTING_TABLE,10.10.0.20,louis_tran,116.100.47.155:1044,Tue Apr  4 15:56:59 2023,1680598619
ROUTING_TABLE,10.10.0.46,william_nguyen,116.100.47.155:1107,Tue Apr  4 15:57:02 2023,1680598622
ROUTING_TABLE,10.10.0.12,peter_nguyen,116.100.47.155:1118,Tue Apr  4 15:57:01 2023,1680598621
GLOBAL_STATS,Max bcast/mcast queue length,6
END"
  ``` above just creates the dummy events ```
| rex field=event "^(?:.+?[\n\r]){2}HEADER,(?<_raw>(.+[\n\r])+)HEADER"
| multikv forceheader=1
| table Common_Name Virtual_Address Connected_Since

 

Hope this helps

View solution in original post

0 Karma

yeahnah
Motivator

Hi @jacknguyen 

It is easier to help if you copy and paste the whole event as text - place inside a preformatted style, or code sample </> helps too.

Screen shots like this, with big multi-line events make it far harder to help and get some SPL code working.

jacknguyen
Path Finder

this is event:

</>TITLE,OpenVPN 2.4.11 x86_64-redhat-linux-gnu [Fedora EPEL patched] [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 21 2021 TIME,Wed Apr 5 08:58:23 2023,1680659903 HEADER,CLIENT_LIST,Common Name,Real Address,Virtual Address,Virtual IPv6 Address,Bytes Received,Bytes Sent,Connected Since,Connected Since (time_t),Username,Client ID,Peer ID CLIENT_LIST,jack_nguyen,116.100.47.155:1130,10.10.0.25,,2293690,17795968,Wed Apr 5 08:38:22 2023,1680658702,jack_nguyen,201,2 CLIENT_LIST,kane_vu,116.100.47.155:1135,10.10.0.35,,807236,269755,Wed Apr 5 08:50:46 2023,1680659446,kane_vu,202,3 CLIENT_LIST,wanki_trinh,116.100.47.155:1194,10.10.0.21,,891114,9413845,Wed Apr 5 08:34:28 2023,1680658468,wanki_trinh,200,1 CLIENT_LIST,torin_huynh,116.110.42.16:62901,10.10.0.32,,2798473,5631112,Wed Apr 5 08:26:47 2023,1680658007,torin_huynh,199,0 CLIENT_LIST,william_vo,116.100.47.155:1138,10.10.0.22,,621296,10725869,Wed Apr 5 08:55:22 2023,1680659722,william_vo,203,4 HEADER,ROUTING_TABLE,Virtual Address,Common Name,Real Address,Last Ref,Last Ref (time_t) ROUTING_TABLE,10.10.0.22,william_vo,116.100.47.155:1138,Wed Apr 5 08:58:22 2023,1680659902 ROUTING_TABLE,10.10.0.25,jack_nguyen,116.100.47.155:1130,Wed Apr 5 08:58:22 2023,1680659902 ROUTING_TABLE,10.10.0.21,wanki_trinh,116.100.47.155:1194,Wed Apr 5 08:58:17 2023,1680659897 ROUTING_TABLE,10.10.0.35,kane_vu,116.100.47.155:1135,Wed Apr 5 08:58:22 2023,1680659902 ROUTING_TABLE,10.10.0.32,torin_huynh,116.110.42.16:62901,Wed Apr 5 08:58:22 2023,1680659902 GLOBAL_STATS,Max bcast/mcast queue length,6 END<\>

0 Karma

yeahnah
Motivator

Sorry, I could have been clearer, the </> is an icon in the editor where you can add content so that the output does not get modified.

yeahnah_0-1680663909520.png

Please try adding again


0 Karma

jacknguyen
Path Finder
TITLE,OpenVPN 2.4.11 x86_64-redhat-linux-gnu [Fedora EPEL patched] [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 21 2021
TIME,Tue Apr  4 15:57:03 2023,1680598623
HEADER,CLIENT_LIST,Common Name,Real Address,Virtual Address,Virtual IPv6 Address,Bytes Received,Bytes Sent,Connected Since,Connected Since (time_t),Username,Client ID,Peer ID
CLIENT_LIST,louis_tran,116.100.47.155:1044,10.10.0.20,,13285791,65784195,Tue Apr  4 09:21:41 2023,1680574901,louis_tran,181,1
CLIENT_LIST,wanki_trinh,116.100.47.155:1194,10.10.0.21,,13753119,165936845,Tue Apr  4 09:15:02 2023,1680574502,wanki_trinh,180,0
CLIENT_LIST,william_nguyen,116.100.47.155:1107,10.10.0.46,,2458734,17228162,Tue Apr  4 13:53:19 2023,1680591199,william_nguyen,186,4
CLIENT_LIST,kane_vu,116.100.47.155:1106,10.10.0.35,,8842662,20247670,Tue Apr  4 13:44:11 2023,1680590651,kane_vu,185,3
CLIENT_LIST,peter_nguyen,116.100.47.155:1118,10.10.0.12,,14031959,28603186,Tue Apr  4 15:16:46 2023,1680596206,peter_nguyen,190,5
CLIENT_LIST,jack_nguyen,116.100.47.155:1049,10.10.0.25,,31338513,125792327,Tue Apr  4 09:32:59 2023,1680575579,jack_nguyen,182,2
HEADER,ROUTING_TABLE,Virtual Address,Common Name,Real Address,Last Ref,Last Ref (time_t)
ROUTING_TABLE,10.10.0.25,jack_nguyen,116.100.47.155:1049,Tue Apr  4 15:57:01 2023,1680598621
ROUTING_TABLE,10.10.0.21,wanki_trinh,116.100.47.155:1194,Tue Apr  4 15:56:44 2023,1680598604
ROUTING_TABLE,10.10.0.35,kane_vu,116.100.47.155:1106,Tue Apr  4 15:57:02 2023,1680598622
ROUTING_TABLE,10.10.0.20,louis_tran,116.100.47.155:1044,Tue Apr  4 15:56:59 2023,1680598619
ROUTING_TABLE,10.10.0.46,william_nguyen,116.100.47.155:1107,Tue Apr  4 15:57:02 2023,1680598622
ROUTING_TABLE,10.10.0.12,peter_nguyen,116.100.47.155:1118,Tue Apr  4 15:57:01 2023,1680598621
GLOBAL_STATS,Max bcast/mcast queue length,6
END

oh sorry my fault. there is

0 Karma

yeahnah
Motivator

Thanks, that helps a lot.

It's an interesting data set, multi-line with different CSV headers in the one event.

The following is a method that should meet your use case

 

... your search ...
| rex field=_raw "^(?:.+?[\n\r]){2}HEADER,(?<_raw>(.+[\n\r])+)HEADER"
| multikv forceheader=1
| table Common_Name Virtual_Address Connected_Since

 

It pulls out (rex) the CSV section you're interested in and then uses the multikv command to extract the data as single line events. 

You can rename the output fields if you like too.

Here's my run anywhere search I used to test the above.

 

| makeresults
| eval event="TITLE,OpenVPN 2.4.11 x86_64-redhat-linux-gnu [Fedora EPEL patched] [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 21 2021
TIME,Tue Apr  4 15:57:03 2023,1680598623
HEADER,CLIENT_LIST,Common Name,Real Address,Virtual Address,Virtual IPv6 Address,Bytes Received,Bytes Sent,Connected Since,Connected Since (time_t),Username,Client ID,Peer ID
CLIENT_LIST,louis_tran,116.100.47.155:1044,10.10.0.20,,13285791,65784195,Tue Apr  4 09:21:41 2023,1680574901,louis_tran,181,1
CLIENT_LIST,wanki_trinh,116.100.47.155:1194,10.10.0.21,,13753119,165936845,Tue Apr  4 09:15:02 2023,1680574502,wanki_trinh,180,0
CLIENT_LIST,william_nguyen,116.100.47.155:1107,10.10.0.46,,2458734,17228162,Tue Apr  4 13:53:19 2023,1680591199,william_nguyen,186,4
CLIENT_LIST,kane_vu,116.100.47.155:1106,10.10.0.35,,8842662,20247670,Tue Apr  4 13:44:11 2023,1680590651,kane_vu,185,3
CLIENT_LIST,peter_nguyen,116.100.47.155:1118,10.10.0.12,,14031959,28603186,Tue Apr  4 15:16:46 2023,1680596206,peter_nguyen,190,5
CLIENT_LIST,jack_nguyen,116.100.47.155:1049,10.10.0.25,,31338513,125792327,Tue Apr  4 09:32:59 2023,1680575579,jack_nguyen,182,2
HEADER,ROUTING_TABLE,Virtual Address,Common Name,Real Address,Last Ref,Last Ref (time_t)
ROUTING_TABLE,10.10.0.25,jack_nguyen,116.100.47.155:1049,Tue Apr  4 15:57:01 2023,1680598621
ROUTING_TABLE,10.10.0.21,wanki_trinh,116.100.47.155:1194,Tue Apr  4 15:56:44 2023,1680598604
ROUTING_TABLE,10.10.0.35,kane_vu,116.100.47.155:1106,Tue Apr  4 15:57:02 2023,1680598622
ROUTING_TABLE,10.10.0.20,louis_tran,116.100.47.155:1044,Tue Apr  4 15:56:59 2023,1680598619
ROUTING_TABLE,10.10.0.46,william_nguyen,116.100.47.155:1107,Tue Apr  4 15:57:02 2023,1680598622
ROUTING_TABLE,10.10.0.12,peter_nguyen,116.100.47.155:1118,Tue Apr  4 15:57:01 2023,1680598621
GLOBAL_STATS,Max bcast/mcast queue length,6
END"
  ``` above just creates the dummy events ```
| rex field=event "^(?:.+?[\n\r]){2}HEADER,(?<_raw>(.+[\n\r])+)HEADER"
| multikv forceheader=1
| table Common_Name Virtual_Address Connected_Since

 

Hope this helps

0 Karma

jacknguyen
Path Finder

thank you for your help. its work

0 Karma
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...