Getting Data In
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Regex to extract multivalue and null values from t...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Regex to extract multivalue and null values from the fields.
firefox95
Explorer
10-27-2020
07:09 AM
Hi Community,
I would need your help in extracting multi field values from the below sample. I have a regex below which is not helping me in extracting multi field values, It's just extracting first value from the below log sample. So could you help me in modifying the regex please? Thanks in advance.
Regex: \w+[\s+\-\:\w+]*=(?:[^\\,]+)*
e.g. multivalue field is dhcp-parameter-request-list=1\, 22\, 3\, 4\, 77\, 55\, 99\, 200\,
Current Result: dhcp-parameter-request-list=1 (Pls note just 1 is extracted from my regex but i would need other values i.e. 22, 3, 4, 77, 55, 77, 99 and 200 to get extracted as well)
Log source Sample:
Oct 19 16:55:17 xxxxx33 xxx_profiler 000324 1 0 2020-10-19 16:55:17:108 +01:00 000628 80002 INFO Profiler: Profiler Endpoint Profiling event occured, configversionid=xxxx, Endpointcertainitymetric=50, EndpointIPAddress=xx.xx.xx.xxx, EndpointProperty=dhcp-class-identifier=xx.xxx.com\, Policyversion=000\, AuthenticationIdentityStore=Internal Endpoints\, lldpcachecapabilities=B\;T\, EndpointPolicyID=xxx-xxx-xxxxx\, LogicalProfile=xxx-xxx-xx\, xxx-xxxx-xxxx\, AuthenticationMethod=lookup\, FirstCollection=1518577\, CacheUpdateTime=10000\, IdentityAtoreGUID=\, StaticAssignment=false\, UserName=xxx\, NmapScanCpunt=0\, NetwrokDeviceName=xx.xx.xx.com\, DestIPAddress=xx.xx.xxx.xx\, AAA-Server=xxx\,
MessageCode=000\, Device Type= Device Type#All Device Types\,PortalUser=\, AllowedProtocalMatchedRule=Wired_MM\, ciaddre=x.x.x.x\, BYODRegistration=Unknown\, Calling-Station-ID=xx-xx-xx-xx\, dhcp-requested-address=xx.xx.xx.xx\, FailureReason=-\, dhcp-parameter-request-list=1\, XX\, X\, X\, XX\, XX\, XX\, XXX\, PostureApplicable=Yes\, Description=Voice:XXX Phones Caanry Waref #VLAN:IPT-VOICE#TYPE:VOICE#SYNC:1.0\, phoneID=\, hostname=xxxx\, NAS-Port-Id=Gigabit Ethernet/x/xx\, location=location #all locations#\, uniquesubjectid=, EndpointSourceEvent=DNS Probe, EndpointIdentityGroup=xxx_Phones, ProfileServer=xx.xx.xx.xx,
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ITWhisperer
SplunkTrust
10-27-2020
08:16 AM
You could modify your data to make extracting each field easier, then isolate the field you want further extraction on
| makeresults | eval events="Oct 19 16:55:17 xxxxx33 xxx_profiler 000324 1 0 2020-10-19 16:55:17:108 +01:00 000628 80002 INFO Profiler: Profiler Endpoint Profiling event occured, configversionid=xxxx, Endpointcertainitymetric=50, EndpointIPAddress=xx.xx.xx.xxx, EndpointProperty=dhcp-class-identifier=xx.xxx.com\\, Policyversion=000\\, AuthenticationIdentityStore=Internal Endpoints\\, lldpcachecapabilities=B\\;T\\, EndpointPolicyID=xxx-xxx-xxxxx\\, LogicalProfile=xxx-xxx-xx\\, xxx-xxxx-xxxx\\, AuthenticationMethod=lookup\\, FirstCollection=1518577\\, CacheUpdateTime=10000\\, IdentityAtoreGUID=\\, StaticAssignment=false\\, UserName=xxx\\, NmapScanCpunt=0\\, NetwrokDeviceName=xx.xx.xx.com\\, DestIPAddress=xx.xx.xxx.xx\\, AAA-Server=xxx\\, MessageCode=000\\, Device Type= Device Type#All Device Types\\,PortalUser=\\, AllowedProtocalMatchedRule=Wired_MM\\, ciaddre=x.x.x.x\\, BYODRegistration=Unknown\\, Calling-Station-ID=xx-xx-xx-xx\\, dhcp-requested-address=xx.xx.xx.xx\\, FailureReason=-\\, dhcp-parameter-request-list=1\\, XX\\, X\\, X\\, XX\\, XX\\, XX\\, XXX\\, PostureApplicable=Yes\\, Description=Voice:XXX Phones Caanry Waref #VLAN:IPT-VOICE#TYPE:VOICE#SYNC:1.0\\, phoneID=\\, hostname=xxxx\\, NAS-Port-Id=Gigabit Ethernet/x/xx\\, location=location #all locations#\\, uniquesubjectid=, EndpointSourceEvent=DNS Probe, EndpointIdentityGroup=xxx_Phones, ProfileServer=xx.xx.xx.xx,"
| rex field=events mode=sed "s/(?<k>[A-Za-z][A-Za-z\s_\-]+=)/@\1/g"
| rex field=events max_match=0 "@(?<keyvalue>[^@]+)"
| rex field=events mode=sed "s/@//g"I used @ as it doesn't appear in your sample string but you may need to use something else depending on the rest of your data.
Get Updates on the Splunk Community!
See just what you’ve been missing | Observability tracks at Splunk University
Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...
Weezer at .conf25? Say it ain’t so!
Hello Splunkers,
The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...
How SC4S Makes Suricata Logs Ingestion Simple
Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...
