Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Regex to extract multivalue and null values from the fields.

firefox95
Explorer
‎10-27-2020 07:09 AM

Hi Community,

I would need your help in extracting multi field values from the below sample. I have a regex below which is not helping me in extracting multi field values, It's just extracting first value from the  below log sample. So could you help me in modifying the regex please? Thanks in advance.

Regex: \w+[\s+\-\:\w+]*=(?:[^\\,]+)*

e.g. multivalue field is dhcp-parameter-request-list=1\, 22\, 3\, 4\, 77\, 55\, 99\, 200\,

Current Result: dhcp-parameter-request-list=1 (Pls note just 1 is extracted from my regex but i would need other values i.e. 22, 3, 4, 77, 55, 77, 99 and 200 to get extracted as well) 

Log source Sample:

Oct 19 16:55:17 xxxxx33 xxx_profiler 000324 1 0 2020-10-19 16:55:17:108 +01:00 000628 80002 INFO Profiler: Profiler Endpoint Profiling event occured, configversionid=xxxx, Endpointcertainitymetric=50, EndpointIPAddress=xx.xx.xx.xxx, EndpointProperty=dhcp-class-identifier=xx.xxx.com\, Policyversion=000\, AuthenticationIdentityStore=Internal Endpoints\, lldpcachecapabilities=B\;T\, EndpointPolicyID=xxx-xxx-xxxxx\, LogicalProfile=xxx-xxx-xx\, xxx-xxxx-xxxx\, AuthenticationMethod=lookup\, FirstCollection=1518577\, CacheUpdateTime=10000\, IdentityAtoreGUID=\, StaticAssignment=false\, UserName=xxx\, NmapScanCpunt=0\, NetwrokDeviceName=xx.xx.xx.com\, DestIPAddress=xx.xx.xxx.xx\, AAA-Server=xxx\,
MessageCode=000\, Device Type= Device Type#All Device Types\,PortalUser=\, AllowedProtocalMatchedRule=Wired_MM\, ciaddre=x.x.x.x\, BYODRegistration=Unknown\, Calling-Station-ID=xx-xx-xx-xx\, dhcp-requested-address=xx.xx.xx.xx\, FailureReason=-\, dhcp-parameter-request-list=1\, XX\, X\, X\, XX\, XX\, XX\, XXX\, PostureApplicable=Yes\, Description=Voice:XXX Phones Caanry Waref #VLAN:IPT-VOICE#TYPE:VOICE#SYNC:1.0\, phoneID=\, hostname=xxxx\, NAS-Port-Id=Gigabit Ethernet/x/xx\, location=location #all locations#\, uniquesubjectid=, EndpointSourceEvent=DNS Probe, EndpointIdentityGroup=xxx_Phones, ProfileServer=xx.xx.xx.xx,

Labels (1)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎10-27-2020 08:16 AM

You could modify your data to make extracting each field easier, then isolate the field you want further extraction on

| makeresults | eval events="Oct 19 16:55:17 xxxxx33 xxx_profiler 000324 1 0 2020-10-19 16:55:17:108 +01:00 000628 80002 INFO Profiler: Profiler Endpoint Profiling event occured, configversionid=xxxx, Endpointcertainitymetric=50, EndpointIPAddress=xx.xx.xx.xxx, EndpointProperty=dhcp-class-identifier=xx.xxx.com\\, Policyversion=000\\, AuthenticationIdentityStore=Internal Endpoints\\, lldpcachecapabilities=B\\;T\\, EndpointPolicyID=xxx-xxx-xxxxx\\, LogicalProfile=xxx-xxx-xx\\, xxx-xxxx-xxxx\\, AuthenticationMethod=lookup\\, FirstCollection=1518577\\, CacheUpdateTime=10000\\, IdentityAtoreGUID=\\, StaticAssignment=false\\, UserName=xxx\\, NmapScanCpunt=0\\, NetwrokDeviceName=xx.xx.xx.com\\, DestIPAddress=xx.xx.xxx.xx\\, AAA-Server=xxx\\, MessageCode=000\\, Device Type= Device Type#All Device Types\\,PortalUser=\\, AllowedProtocalMatchedRule=Wired_MM\\, ciaddre=x.x.x.x\\, BYODRegistration=Unknown\\, Calling-Station-ID=xx-xx-xx-xx\\, dhcp-requested-address=xx.xx.xx.xx\\, FailureReason=-\\, dhcp-parameter-request-list=1\\, XX\\, X\\, X\\, XX\\, XX\\, XX\\, XXX\\, PostureApplicable=Yes\\, Description=Voice:XXX Phones Caanry Waref #VLAN:IPT-VOICE#TYPE:VOICE#SYNC:1.0\\, phoneID=\\, hostname=xxxx\\, NAS-Port-Id=Gigabit Ethernet/x/xx\\, location=location #all locations#\\, uniquesubjectid=, EndpointSourceEvent=DNS Probe, EndpointIdentityGroup=xxx_Phones, ProfileServer=xx.xx.xx.xx,"
| rex field=events mode=sed "s/(?<k>[A-Za-z][A-Za-z\s_\-]+=)/@\1/g"
| rex field=events max_match=0 "@(?<keyvalue>[^@]+)"
| rex field=events mode=sed "s/@//g"

I used @ as it doesn't appear in your sample string but you may need to use something else depending on the rest of your data. 

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Event Series: Telemetry Pipeline Management

Balancing Scale and Spend: Gaining Control Over High-Volume Metrics in Splunk Observability Cloud As ...

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

As software delivery cycles continue to accelerate, observability shouldn’t be a luxury — it should be a ...