Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

multivalue field extraction using props and transforms at search time.

abhisplunk1
Explorer
2 weeks ago

I have a field pluginText field which has plugin paths with multiple values, i want to extract each path 

for example in a json event pluginText looks like:
 

{,..., "pluginText""<plugin_output>\nNessus detected 8 installs of Microsoft OneDrive:\n\n  Path    : C:\\Users\\user1\\AppData\\Local\\Microsoft\\OneDrive\\\n  Version : 22.238\n\n  Path    : C:\\Users\\user2\\AppData\\Local\\Microsoft\\OneDrive\\\n  Version : 25.140\n\n  Path    : C:\\Users\\user3\\AppData\\Local\\Microsoft\\OneDrive\\\n  Version : 21.180\n\n  Path    : C:\\Users\\user4\\AppData\\Local\\Microsoft\\OneDrive\\\n  Version : 25.65\n\n  Path    : C:\\Users\\user5\\AppData\\Local\\Microsoft\\OneDrive\\\n  Version : 21.220.\n\n  Path    : C:\\Users\\user6\\AppData\\Local\\Microsoft\\OneDrive\\\n  Version : 25.179\n\n  Path    : C:\\Users\\user7\\AppData\\Local\\Microsoft\\OneDrive\\\n  Version : 25.65\n\n  Path    : C:\\Users\\user8\\AppData\\Local\\Microsoft\\OneDrive\\\n  Version : 21.220\n</plugin_output>""....}

on search page \\n goes to new line, so i have written the following regex, on UI it's working to have multiple values
| rex max_match=15 field=pluginText "Path[\s\:]+(?<plugin_path>.*?)[\n\r]"


but when i tried to extract same with props and transforms using below, the extraction didn't work, 
[logsourcetype]
REPORT-new_plugin_path = extracting_plugin_path

[extracting_plugin_path]
REGEX = Path[\s\:]+(?<plugin_path>.*?)[\n\r]
REPEAT_MATCH = true
MV_ADD = true

looking for working props and transforms for this kind of situation, thanks!

Tags (1)
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
2 weeks ago

https://help.splunk.com/en/splunk-enterprise/manage-knowledge-objects/knowledge-management-manual/9....

KV_MODE-based extractions take place _after_ REPORT and EXTRACT so you can't rely on fields extracted with automatic json parsing in your transform. You might try to rewrite your extraction as a calculated field using text functions but that might be tricky.

0 Karma
Reply

PrewinThomas
Motivator
2 weeks ago

@abhisplunk1 

Can you try below,

[extracting_plugin_path]
SOURCE_KEY = pluginText
REGEX = (?s)Path\s*:\s*(?<plugin_path>.+?)(\\r|\\n)
REPEAT_MATCH = true
MV_ADD = true

 

Regards,
Prewin
🌟If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!

0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

You might have seen Splunk’s recent announcement about donating the OpenTelemetry Injector to the ...