Getting Data In

How to remove a group of characters for each value from list/multivalue.

dashield
Explorer

String of variable alert_type:

|detail.action=blocked|detail.devicename=hd03|detail.virus=fec_virus_macro_sic_1|detail.sha256=fd8a5b3ea9e59d3f863822cd2dddfbfded034f8ddad351c909732f18b1a82662|detail.md5=fecd3f3d9a9233c234bf0b455f73f65b

Objective:

Split the string by "|" and remove the "=" and followed characters.  Something like rstrip command however it wasn't working with multivalue.

E.g.

detail.action
detail.devicename
detail.virus
detail.sha256
detail.md5

It seems I need to used the foreach command however I'm not sure how i will used it.

Labels (1)
Tags (3)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust
| rex max_match=0 field=alert_type "\|?(?<name>[^=]+)[^\|]+\|?"

View solution in original post

ITWhisperer
SplunkTrust
SplunkTrust

If it was in SPL this expression would work in rex, but since you tagged it as transforms.conf, I don't know what adjustments you might need but at least it might get you part of the way there

 

\|?(?<name>[^=]+)[^\|]+\|?

 

 

dashield
Explorer

Apologize I think I mistagged it. It was for SPL only.

It able to get the value of the first key (detail.action) after the split with "|". Is there a way I could get the rest of them?

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
| rex max_match=0 field=alert_type "\|?(?<name>[^=]+)[^\|]+\|?"

dashield
Explorer

You are amazing... Thanks a lot.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Please clarify.  Is the field in question a string or a multi-value field?

The foreach command doesn't work on multi-value fields.

---
If this reply helps you, Karma would be appreciated.

dashield
Explorer

it was a string.

I need to split it with "|" then remove the values after the "="

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...