Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Combining rex results

jwhughes58
Contributor
‎03-04-2019 04:11 PM

I have this search that I'm trying to break down

| tstats `summariesonly` values(Web.url) as url values(Web.src) as src values(Web.dest) as dest values(Web.action) as action values(Web.app) as app FROM datamodel=Web where sourcetype=pan:threat Web.app!=smtp Web.url!="*:25/*" [|search earliest=-30d index=email sourcetype=fe_xml_syslog hxxp | rex field=_raw "\<url\>(?<url>.*)\<\/url\>" |dedup url |table url |eval Web.url=replace(url,"hxxp://","")+"*" | fields - url] by Web.src |fields - Web.src | addinfo

I want the output for sourcetype to look

pan:threat
fe_xml_syslog

Instead I'm only getting pan:threat. I know there is a way of combining these so each is on a separate line, but my google fu is weak on this one. Any suggestions?

TIA,
Joe

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎03-05-2019 10:30 PM

Try this:

... | rex field=search max_match=0 "sourcetype=\"*(?[^\"\( ]+)\"*"

Then you can use mvfilter and/or mvindex to grab what you need from the multi-valued field.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎03-05-2019 10:30 PM

Try this:

... | rex field=search max_match=0 "sourcetype=\"*(?[^\"\( ]+)\"*"

Then you can use mvfilter and/or mvindex to grab what you need from the multi-valued field.

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎03-04-2019 08:07 PM

Your desire makes no sense to me but you can do it by adding this to the end:

| eval sourcetype = mvappend(sourcetype, "fe_xml_syslog")
0 Karma
Reply
Solved! Jump to solution

jwhughes58
Contributor
‎03-05-2019 08:35 AM

Yeah it is is poorly worded. Okay taking the above data as the field search I use this

| rex field=search "sourcetype=\"(?[^\"( ]+)\""

I'm getting the first sourcetype

my_st = pan:threat

but I'm not getting the second sourcetype in the string. I can't add it with an append because I don't know what the second sourcetype will be. Any thoughts?

TIA
Joe

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Monitoring AI Agents with Splunk Observability Cloud

Let’s say I’m running a travel planning AI app in production. A user asks for three concise hotel options in ...

[Puzzles] Solve, Learn, Repeat: Tiling

This puzzle (first published here) is based on finding groups of tessellated tiles (inspired by floor tiles I ...

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

    Thursday, July 9, 2026  |  11:00AM–12:00PM PDT Duration: 1 hour (includes Q&A) Managing can feel like a ...