Splunk Search

Find the LAST instance of an extracted field

jeremyhagand61
Communicator

I have event data which looks like this:

Sep 12 11:33:23 hostname  AUDIT "2019-09-12 11:33:23.677 GMT+1000"  192.168.19.36 hostname:1812 0 1912 17771 "text=Access CHALLENGED 0x0: Success ,reason=0" Thread-6076 VSValidationEngine.c
Sep 12 11:33:53 hostname  AUDIT "2019-09-12 11:33:53.848 GMT+1000"  192.168.19.36 hostname:1812 0 1912 17974 "text=Access CHALLENGED 0x0: Success ,reason=0" Thread-6076 VSValidationEngine.c
Sep 12 11:34:11 hostname  AUDIT "2019-09-12 11:34:11.692 GMT+1000"  192.168.19.36 hostname:1812 0 1912 18175 "text=Access CHALLENGED 0x0: Success ,reason=0" Thread-6076 VSValidationEngine.c
Sep 12 14:34:22 hostname  AUDIT "2019-09-12 14:34:22.210 GMT+1000"  192.168.19.36 hostname:1812 0 18870 20232 "text=Access DENIED Incorrect LDAP Password. ,reason=3; Incorrect LDAP Password." Thread-6076 VSValidationEngine.c
Sep 12 14:40:37 hostname  AUDIT "2019-09-12 14:40:36.800 GMT+1000"  192.168.19.36 hostname:1812 0 1912 20499 "text=Access CHALLENGED 0x0: Success ,reason=0" Thread-6076 VSValidationEngine.c

I am grouping the events into a transaction based on the auto-extracted "thread" field. This makes these into 1 event. I am then extracting the results into a field called "result" using the following rex comannd:

rex field=text max_match=0 "Access\s(?<result>[A-Z]+)\s"

With the example event data above, I get a MV field with only 2 values. It seems to be deduping my match. I really want ALL the values and then am interested in putting the final value (index -1) into another field.

Any guidance on how to achieve this would be appreciated.

Tags (2)
0 Karma
1 Solution

renjith_nair
SplunkTrust
SplunkTrust

@jeremyhagand61,

Try using the mvlist=true rendering option

Reference : Multivalue rendering options

mvlist
Syntax: mvlist= true | false | <field-list>
Description: Flag that controls how multivalued fields are processed. When set to mvlist=true, the multivalued fields in the transaction are a list of the original events ordered in arrival order. When set to mvlist=false, the multivalued fields in the transaction are a set of unique field values ordered alphabetically. If a comma or space delimited list of fields is provided, only those fields are rendered as lists.
Default: false

In your case, it would be

 "your search"
|transaction thread mvlist=true
| rex field=text "Access\s(?<result>[A-Z]+)\s"
| eval new_field=mvindex(result,-1)
Happy Splunking!

View solution in original post

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

@jeremyhagand61,

Try using the mvlist=true rendering option

Reference : Multivalue rendering options

mvlist
Syntax: mvlist= true | false | <field-list>
Description: Flag that controls how multivalued fields are processed. When set to mvlist=true, the multivalued fields in the transaction are a list of the original events ordered in arrival order. When set to mvlist=false, the multivalued fields in the transaction are a set of unique field values ordered alphabetically. If a comma or space delimited list of fields is provided, only those fields are rendered as lists.
Default: false

In your case, it would be

 "your search"
|transaction thread mvlist=true
| rex field=text "Access\s(?<result>[A-Z]+)\s"
| eval new_field=mvindex(result,-1)
Happy Splunking!
0 Karma

jeremyhagand61
Communicator

Thanks, that worked. Makes a bit more work to collapse the other fields I am extracting, but I managed to get what I needed.

0 Karma
Get Updates on the Splunk Community!

Maximize the Value from Microsoft Defender with Splunk

<P style=" text-align: center; "><span class="lia-inline-image-display-wrapper lia-image-align-center" ...

Events has wrong timestamp, How to correct time config?

Hello Splunkers,&nbsp;I've an issue with my event time configuration. It has incorrect timestamp. Below are my ...

What is the use drop_dm_object_name() clause in a query with tstats.?

I am trying to find out what purpose drop_dm_object_name() serves.