Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Multivalue Field extaction using Regular Expressions

perrinj2
Path Finder
‎09-07-2020 07:28 PM

I'm trying to extract fields from the following event data

[Scenario_summary]
Scenario Type=Manual Scenario
Goal Profile Name=Schedule 1
Mode=Scenario Scheduling
Scenario Duration=Start 27 Vusers: 1 every 00:00:15 (HH:MM:SS); Run for 00:30:00 (HH:MM:SS); Stop all Vusers simultaneously
Load Behavior=Initialize each Vuser just before it runs

[Scripts]
apache_on_5154=D:\LoadRunner Repo\LoadRunner\Loadrunner Scripts\apache_on_5154\apache_on_5154.usr
AjaxClickAndScript1=D:\LoadRunner Scripts\SPLUNK_SOLUTION_2\AjaxClickAndScript1\AjaxClickAndScript1.usr
AddNewCustomer=D:\CPE_Demo\AddNewCustomer\AddNewCustomer.usr

[Scripts_types]
apache_on_5154=Multi+QTWeb
AjaxClickAndScript1=WebAjax
AddNewCustomer=Multi+QTWeb

 

Specifically I want to extract the LoadRunner group names and protocols below the [Scripts_types] which can be 1 to n depending on the Scenerio.  In this example the script names would be

apache_on_5154
AjaxClickAndScript1
AddNewCustomer

I've tried a regular expression with a named group to extract the fields. eg

\[Scripts_types\]\n(?<Group1>.+)=.+
\[Scripts_types\]\n(?:.+)=.+\n(?<Group2>.+)=.+\n(?:.+)=.+
\[Scripts_types\]\n(?:.+)=.+\n(?:.+)=.+\n(?<Group3>.+)=.+

But that gives me 3 different named fields and does not cater for case where there are more of less of these lines in the event. 

If I use a repeating group like

\[Scripts_types\](\n(?<GroupName>.+)=.+)+

It only captures the last iteration ie "AddNewCustomer" 

Anyone know how to deal with this? 

 

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎09-08-2020 12:06 AM

Having got a single field, can you not run a further regex on that to get just the data you require?

View solution in original post

Reply
Solved! Jump to solution

perrinj2
Path Finder
‎09-07-2020 09:36 PM

Further to this  the following regex 

\[Scripts_types\](?<Scripts_types>(?:\n(?:.+)=.+)+)

will extract a single named group with value

apache_on_5154=Multi+QTWeb AjaxClickAndScript1=WebAjax AddNewCustomer=Multi+QTWeb

which I think is the only regex that makes sense in this situation.

So I'll look at how to extract the required fields from the field values. Any tips on this approach appreciated.

 

 

 

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎09-08-2020 12:06 AM

Having got a single field, can you not run a further regex on that to get just the data you require?

Reply
Solved! Jump to solution

perrinj2
Path Finder
‎09-08-2020 04:26 PM

@ITWhisperer  Thanks, that's what I thought might be the next step. I was hoping to do it in one pass but that doesn't seem possible. 

0 Karma
Reply
Solved! Jump to solution

perrinj2
Path Finder
‎09-07-2020 09:04 PM

It's one event

0 Karma
Reply
Solved! Jump to solution

thambisetty
SplunkTrust
SplunkTrust
‎09-07-2020 09:00 PM

is below only one event ? if yes, please don't format the event before sharing it in community especially the question is about regular expression, we can't give proper answer if the event is modified and shared here.

 

[Scenario_summary]
Scenario Type=Manual Scenario
Goal Profile Name=Schedule 1
Mode=Scenario Scheduling
Scenario Duration=Start 27 Vusers: 1 every 00:00:15 (HH:MM:SS); Run for 00:30:00 (HH:MM:SS); Stop all Vusers simultaneously
Load Behavior=Initialize each Vuser just before it runs

[Scripts]
apache_on_5154=D:\LoadRunner Repo\LoadRunner\Loadrunner Scripts\apache_on_5154\apache_on_5154.usr
AjaxClickAndScript1=D:\LoadRunner Scripts\SPLUNK_SOLUTION_2\AjaxClickAndScript1\AjaxClickAndScript1.usr
AddNewCustomer=D:\CPE_Demo\AddNewCustomer\AddNewCustomer.usr

[Scripts_types]
apache_on_5154=Multi+QTWeb
AjaxClickAndScript1=WebAjax
AddNewCustomer=Multi+QTWeb

————————————
If this helps, give a like below.
0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...