Extraction of multiple events from a single variab...

rturk · ‎04-11-2012

Hi Splunkers 🙂

I have some variable length NAT translation events in the following format:

Apr 12 11:42:23 1.2.3.4 AppDirector: client-IP src-port dst-IP dst-port client-type server-IP server-port nat-IP nat-port start end|xxx.xxx.xxx.xxx 33791 yyy.yyy.yyy.yyy 6443 DY zzz.zzz.zzz.zzz 6443 0.0.0.0 0 12/04/2012-12:36:10 12/04/2012-12:37:11
Apr 12 11:39:28 1.2.3.4 AppDirector: client-IP src-port dst-IP dst-port client-type server-IP server-port nat-IP nat-port start end|xxx.xxx.xxx.xxx 13518 yyy.yyy.yyy.yyy 443 DY zzz.zzz.zzz.zzz 8083 0.0.0.0 0 12/04/2012-12:34:15 12/04/2012-12:34:15|xxx.xxx.xxx.xxx 11333 yyy.yyy.yyy.yyy 443 DY zzz.zzz.zzz.zzz 8083 0.0.0.0 0 12/04/2012-12:34:15 12/04/2012-12:34:16

Each distinct translation is separated by a pipe command.

What is the best way of extracting (potentially) multiple events from a single line? I'm assuming this is possible?

Many thanks 🙂

woodcock · ‎07-05-2015

You can do it like this:

| rex "^[\|]+\|(?<MVevents>.*)$" | makemv delim="|" MVevents

You now have a multi-value field with all of your events as a separate value within that field. From here you can use mvindex to get at each one or mvexpand to create individual events; there are other mv commands, too.

Extraction of multiple events from a single variable length event

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation