Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Regex to extract multivalue and null values from the fields.

firefox95
Explorer
‎10-27-2020 07:09 AM

Hi Community,

I would need your help in extracting multi field values from the below sample. I have a regex below which is not helping me in extracting multi field values, It's just extracting first value from the  below log sample. So could you help me in modifying the regex please? Thanks in advance.

Regex: \w+[\s+\-\:\w+]*=(?:[^\\,]+)*

e.g. multivalue field is dhcp-parameter-request-list=1\, 22\, 3\, 4\, 77\, 55\, 99\, 200\,

Current Result: dhcp-parameter-request-list=1 (Pls note just 1 is extracted from my regex but i would need other values i.e. 22, 3, 4, 77, 55, 77, 99 and 200 to get extracted as well) 

Log source Sample:

Oct 19 16:55:17 xxxxx33 xxx_profiler 000324 1 0 2020-10-19 16:55:17:108 +01:00 000628 80002 INFO Profiler: Profiler Endpoint Profiling event occured, configversionid=xxxx, Endpointcertainitymetric=50, EndpointIPAddress=xx.xx.xx.xxx, EndpointProperty=dhcp-class-identifier=xx.xxx.com\, Policyversion=000\, AuthenticationIdentityStore=Internal Endpoints\, lldpcachecapabilities=B\;T\, EndpointPolicyID=xxx-xxx-xxxxx\, LogicalProfile=xxx-xxx-xx\, xxx-xxxx-xxxx\, AuthenticationMethod=lookup\, FirstCollection=1518577\, CacheUpdateTime=10000\, IdentityAtoreGUID=\, StaticAssignment=false\, UserName=xxx\, NmapScanCpunt=0\, NetwrokDeviceName=xx.xx.xx.com\, DestIPAddress=xx.xx.xxx.xx\, AAA-Server=xxx\,
MessageCode=000\, Device Type= Device Type#All Device Types\,PortalUser=\, AllowedProtocalMatchedRule=Wired_MM\, ciaddre=x.x.x.x\, BYODRegistration=Unknown\, Calling-Station-ID=xx-xx-xx-xx\, dhcp-requested-address=xx.xx.xx.xx\, FailureReason=-\, dhcp-parameter-request-list=1\, XX\, X\, X\, XX\, XX\, XX\, XXX\, PostureApplicable=Yes\, Description=Voice:XXX Phones Caanry Waref #VLAN:IPT-VOICE#TYPE:VOICE#SYNC:1.0\, phoneID=\, hostname=xxxx\, NAS-Port-Id=Gigabit Ethernet/x/xx\, location=location #all locations#\, uniquesubjectid=, EndpointSourceEvent=DNS Probe, EndpointIdentityGroup=xxx_Phones, ProfileServer=xx.xx.xx.xx,

Labels (1)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎10-27-2020 08:16 AM

You could modify your data to make extracting each field easier, then isolate the field you want further extraction on

| makeresults | eval events="Oct 19 16:55:17 xxxxx33 xxx_profiler 000324 1 0 2020-10-19 16:55:17:108 +01:00 000628 80002 INFO Profiler: Profiler Endpoint Profiling event occured, configversionid=xxxx, Endpointcertainitymetric=50, EndpointIPAddress=xx.xx.xx.xxx, EndpointProperty=dhcp-class-identifier=xx.xxx.com\\, Policyversion=000\\, AuthenticationIdentityStore=Internal Endpoints\\, lldpcachecapabilities=B\\;T\\, EndpointPolicyID=xxx-xxx-xxxxx\\, LogicalProfile=xxx-xxx-xx\\, xxx-xxxx-xxxx\\, AuthenticationMethod=lookup\\, FirstCollection=1518577\\, CacheUpdateTime=10000\\, IdentityAtoreGUID=\\, StaticAssignment=false\\, UserName=xxx\\, NmapScanCpunt=0\\, NetwrokDeviceName=xx.xx.xx.com\\, DestIPAddress=xx.xx.xxx.xx\\, AAA-Server=xxx\\, MessageCode=000\\, Device Type= Device Type#All Device Types\\,PortalUser=\\, AllowedProtocalMatchedRule=Wired_MM\\, ciaddre=x.x.x.x\\, BYODRegistration=Unknown\\, Calling-Station-ID=xx-xx-xx-xx\\, dhcp-requested-address=xx.xx.xx.xx\\, FailureReason=-\\, dhcp-parameter-request-list=1\\, XX\\, X\\, X\\, XX\\, XX\\, XX\\, XXX\\, PostureApplicable=Yes\\, Description=Voice:XXX Phones Caanry Waref #VLAN:IPT-VOICE#TYPE:VOICE#SYNC:1.0\\, phoneID=\\, hostname=xxxx\\, NAS-Port-Id=Gigabit Ethernet/x/xx\\, location=location #all locations#\\, uniquesubjectid=, EndpointSourceEvent=DNS Probe, EndpointIdentityGroup=xxx_Phones, ProfileServer=xx.xx.xx.xx,"
| rex field=events mode=sed "s/(?<k>[A-Za-z][A-Za-z\s_\-]+=)/@\1/g"
| rex field=events max_match=0 "@(?<keyvalue>[^@]+)"
| rex field=events mode=sed "s/@//g"

I used @ as it doesn't appear in your sample string but you may need to use something else depending on the rest of your data. 

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0

    Are you ready to transform how your team handles complex data requests? We invite you to our upcoming ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...