Solved: Combining rex results

jwhughes58 · ‎03-04-2019

I have this search that I'm trying to break down

| tstats `summariesonly` values(Web.url) as url values(Web.src) as src values(Web.dest) as dest values(Web.action) as action values(Web.app) as app FROM datamodel=Web where sourcetype=pan:threat Web.app!=smtp Web.url!="*:25/*" [|search earliest=-30d index=email sourcetype=fe_xml_syslog hxxp | rex field=_raw "\<url\>(?<url>.*)\<\/url\>" |dedup url |table url |eval Web.url=replace(url,"hxxp://","")+"*" | fields - url] by Web.src |fields - Web.src | addinfo

I want the output for sourcetype to look

pan:threat
fe_xml_syslog

Instead I'm only getting pan:threat. I know there is a way of combining these so each is on a separate line, but my google fu is weak on this one. Any suggestions?

TIA,
Joe

woodcock · ‎03-05-2019

Try this:

... | rex field=search max_match=0 "sourcetype=\"*(?[^\"\( ]+)\"*"

Then you can use mvfilter and/or mvindex to grab what you need from the multi-valued field.

View solution in original post

woodcock · ‎03-05-2019

Try this:

... | rex field=search max_match=0 "sourcetype=\"*(?[^\"\( ]+)\"*"

Then you can use mvfilter and/or mvindex to grab what you need from the multi-valued field.

woodcock · ‎03-04-2019

Your desire makes no sense to me but you can do it by adding this to the end:

| eval sourcetype = mvappend(sourcetype, "fe_xml_syslog")

jwhughes58 · ‎03-05-2019

Yeah it is is poorly worded. Okay taking the above data as the field search I use this

| rex field=search "sourcetype=\"(?[^\"( ]+)\""

I'm getting the first sourcetype

my_st = pan:threat

but I'm not getting the second sourcetype in the string. I can't add it with an append because I don't know what the second sourcetype will be. Any thoughts?

TIA
Joe

Combining rex results

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?