Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Combining rex results

jwhughes58
Contributor
‎03-04-2019 04:11 PM

I have this search that I'm trying to break down

| tstats `summariesonly` values(Web.url) as url values(Web.src) as src values(Web.dest) as dest values(Web.action) as action values(Web.app) as app FROM datamodel=Web where sourcetype=pan:threat Web.app!=smtp Web.url!="*:25/*" [|search earliest=-30d index=email sourcetype=fe_xml_syslog hxxp | rex field=_raw "\<url\>(?<url>.*)\<\/url\>" |dedup url |table url |eval Web.url=replace(url,"hxxp://","")+"*" | fields - url] by Web.src |fields - Web.src | addinfo

I want the output for sourcetype to look

pan:threat
fe_xml_syslog

Instead I'm only getting pan:threat. I know there is a way of combining these so each is on a separate line, but my google fu is weak on this one. Any suggestions?

TIA,
Joe

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎03-05-2019 10:30 PM

Try this:

... | rex field=search max_match=0 "sourcetype=\"*(?[^\"\( ]+)\"*"

Then you can use mvfilter and/or mvindex to grab what you need from the multi-valued field.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎03-05-2019 10:30 PM

Try this:

... | rex field=search max_match=0 "sourcetype=\"*(?[^\"\( ]+)\"*"

Then you can use mvfilter and/or mvindex to grab what you need from the multi-valued field.

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎03-04-2019 08:07 PM

Your desire makes no sense to me but you can do it by adding this to the end:

| eval sourcetype = mvappend(sourcetype, "fe_xml_syslog")
0 Karma
Reply
Solved! Jump to solution

jwhughes58
Contributor
‎03-05-2019 08:35 AM

Yeah it is is poorly worded. Okay taking the above data as the field search I use this

| rex field=search "sourcetype=\"(?[^\"( ]+)\""

I'm getting the first sourcetype

my_st = pan:threat

but I'm not getting the second sourcetype in the string. I can't add it with an append because I don't know what the second sourcetype will be. Any thoughts?

TIA
Joe

0 Karma
Reply
Get Updates on the Splunk Community!

OpenTelemetry for Legacy Apps? Yes, You Can!

This article is a follow-up to my previous article posted on the OpenTelemetry Blog, "Your Critical Legacy App ...

UCC Framework: Discover Developer Toolkit for Building Technology Add-ons

The Next-Gen Toolkit for Splunk Technology Add-on Development The Universal Configuration Console (UCC) ...

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...