Splunk Search

Combining rex results

jwhughes58
Contributor

I have this search that I'm trying to break down

| tstats `summariesonly` values(Web.url) as url values(Web.src) as src values(Web.dest) as dest values(Web.action) as action values(Web.app) as app FROM datamodel=Web where sourcetype=pan:threat Web.app!=smtp Web.url!="*:25/*" [|search earliest=-30d index=email sourcetype=fe_xml_syslog hxxp | rex field=_raw "\<url\>(?<url>.*)\<\/url\>" |dedup url |table url |eval Web.url=replace(url,"hxxp://","")+"*" | fields - url] by Web.src |fields - Web.src | addinfo

I want the output for sourcetype to look

pan:threat
fe_xml_syslog

Instead I'm only getting pan:threat. I know there is a way of combining these so each is on a separate line, but my google fu is weak on this one. Any suggestions?

TIA,
Joe

0 Karma
1 Solution

woodcock
Esteemed Legend

Try this:

... | rex field=search max_match=0 "sourcetype=\"*(?[^\"\( ]+)\"*"

Then you can use mvfilter and/or mvindex to grab what you need from the multi-valued field.

View solution in original post

0 Karma

woodcock
Esteemed Legend

Try this:

... | rex field=search max_match=0 "sourcetype=\"*(?[^\"\( ]+)\"*"

Then you can use mvfilter and/or mvindex to grab what you need from the multi-valued field.

0 Karma

woodcock
Esteemed Legend

Your desire makes no sense to me but you can do it by adding this to the end:

| eval sourcetype = mvappend(sourcetype, "fe_xml_syslog")
0 Karma

jwhughes58
Contributor

Yeah it is is poorly worded. Okay taking the above data as the field search I use this

| rex field=search "sourcetype=\"(?[^\"( ]+)\""

I'm getting the first sourcetype

my_st = pan:threat

but I'm not getting the second sourcetype in the string. I can't add it with an append because I don't know what the second sourcetype will be. Any thoughts?

TIA
Joe

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...