- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Regex to extract multivalue and null values from the fields.
Hi Community,
I would need your help in extracting multi field values from the below sample. I have a regex below which is not helping me in extracting multi field values, It's just extracting first value from the below log sample. So could you help me in modifying the regex please? Thanks in advance.
Regex: \w+[\s+\-\:\w+]*=(?:[^\\,]+)*
e.g. multivalue field is dhcp-parameter-request-list=1\, 22\, 3\, 4\, 77\, 55\, 99\, 200\,
Current Result: dhcp-parameter-request-list=1 (Pls note just 1 is extracted from my regex but i would need other values i.e. 22, 3, 4, 77, 55, 77, 99 and 200 to get extracted as well)
Log source Sample:
Oct 19 16:55:17 xxxxx33 xxx_profiler 000324 1 0 2020-10-19 16:55:17:108 +01:00 000628 80002 INFO Profiler: Profiler Endpoint Profiling event occured, configversionid=xxxx, Endpointcertainitymetric=50, EndpointIPAddress=xx.xx.xx.xxx, EndpointProperty=dhcp-class-identifier=xx.xxx.com\, Policyversion=000\, AuthenticationIdentityStore=Internal Endpoints\, lldpcachecapabilities=B\;T\, EndpointPolicyID=xxx-xxx-xxxxx\, LogicalProfile=xxx-xxx-xx\, xxx-xxxx-xxxx\, AuthenticationMethod=lookup\, FirstCollection=1518577\, CacheUpdateTime=10000\, IdentityAtoreGUID=\, StaticAssignment=false\, UserName=xxx\, NmapScanCpunt=0\, NetwrokDeviceName=xx.xx.xx.com\, DestIPAddress=xx.xx.xxx.xx\, AAA-Server=xxx\,
MessageCode=000\, Device Type= Device Type#All Device Types\,PortalUser=\, AllowedProtocalMatchedRule=Wired_MM\, ciaddre=x.x.x.x\, BYODRegistration=Unknown\, Calling-Station-ID=xx-xx-xx-xx\, dhcp-requested-address=xx.xx.xx.xx\, FailureReason=-\, dhcp-parameter-request-list=1\, XX\, X\, X\, XX\, XX\, XX\, XXX\, PostureApplicable=Yes\, Description=Voice:XXX Phones Caanry Waref #VLAN:IPT-VOICE#TYPE:VOICE#SYNC:1.0\, phoneID=\, hostname=xxxx\, NAS-Port-Id=Gigabit Ethernet/x/xx\, location=location #all locations#\, uniquesubjectid=, EndpointSourceEvent=DNS Probe, EndpointIdentityGroup=xxx_Phones, ProfileServer=xx.xx.xx.xx,
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You could modify your data to make extracting each field easier, then isolate the field you want further extraction on
| makeresults | eval events="Oct 19 16:55:17 xxxxx33 xxx_profiler 000324 1 0 2020-10-19 16:55:17:108 +01:00 000628 80002 INFO Profiler: Profiler Endpoint Profiling event occured, configversionid=xxxx, Endpointcertainitymetric=50, EndpointIPAddress=xx.xx.xx.xxx, EndpointProperty=dhcp-class-identifier=xx.xxx.com\\, Policyversion=000\\, AuthenticationIdentityStore=Internal Endpoints\\, lldpcachecapabilities=B\\;T\\, EndpointPolicyID=xxx-xxx-xxxxx\\, LogicalProfile=xxx-xxx-xx\\, xxx-xxxx-xxxx\\, AuthenticationMethod=lookup\\, FirstCollection=1518577\\, CacheUpdateTime=10000\\, IdentityAtoreGUID=\\, StaticAssignment=false\\, UserName=xxx\\, NmapScanCpunt=0\\, NetwrokDeviceName=xx.xx.xx.com\\, DestIPAddress=xx.xx.xxx.xx\\, AAA-Server=xxx\\, MessageCode=000\\, Device Type= Device Type#All Device Types\\,PortalUser=\\, AllowedProtocalMatchedRule=Wired_MM\\, ciaddre=x.x.x.x\\, BYODRegistration=Unknown\\, Calling-Station-ID=xx-xx-xx-xx\\, dhcp-requested-address=xx.xx.xx.xx\\, FailureReason=-\\, dhcp-parameter-request-list=1\\, XX\\, X\\, X\\, XX\\, XX\\, XX\\, XXX\\, PostureApplicable=Yes\\, Description=Voice:XXX Phones Caanry Waref #VLAN:IPT-VOICE#TYPE:VOICE#SYNC:1.0\\, phoneID=\\, hostname=xxxx\\, NAS-Port-Id=Gigabit Ethernet/x/xx\\, location=location #all locations#\\, uniquesubjectid=, EndpointSourceEvent=DNS Probe, EndpointIdentityGroup=xxx_Phones, ProfileServer=xx.xx.xx.xx,"
| rex field=events mode=sed "s/(?<k>[A-Za-z][A-Za-z\s_\-]+=)/@\1/g"
| rex field=events max_match=0 "@(?<keyvalue>[^@]+)"
| rex field=events mode=sed "s/@//g"I used @ as it doesn't appear in your sample string but you may need to use something else depending on the rest of your data.
