Extracting multiple values from one field

slandail · ‎11-08-2011

Using the Akamai app, and the configuration 'akamai-access-combined-extractions' uses:

[[all:other]]

... to capture a field that contains two pipe-separated values, where the pipe character indicates the end of each string:

"1_2141|959006|"

Trying to modify the config to split the field into two, but my regex kung fu is pretty weak. I tried this:

(?:[$|]+[[all:waf_version]]++[[all:waf_rule]]++)

... but I ran into a 'Regex: range out of order in character class' error.

Thoughts on how to fix?

MHibbin · ‎11-14-2011

Is it possible to perform search-time field extraction using RegEx? I know this not what you are asking but possibly another solution...

If so you could use something like:

*|rex field=test "(?<test1>\d+\_\d+)\|(?<test2>\d+)\|"

This will works assuming the strings are built-up of ...

 {(one or more digit)(underscore)(one or more digit)} (pipe) {(one or more digit)}

So this works on the following types of data:

1_211|959006|
1_2141|959006|
1_21|959006|
1_2141|9590|
1_2141|959006|

Are you a member of the Splunk Community?