Splunk Search

Help Splunk query multiple values

chris95
Engager

Hello,

I would like to retreive multiple value into a single field.
Below an example of log where I would like to extract the value after "sha256":" until the next " 

 

[{"overall_weight":0,"anomaly_types":0,"signature":"DUA.Downselect.PDF.FEBeta","sha256":"babee76d75c74c527c3b836b143277b8d60e4300ab2ebfeb92ed41c6e4b044d3","file_type":36,"uuid":"23e6d432-e357-4f21-b5fe-d596c7e5afec"}, {"overall_weight":0,"anomaly_types":0,"signature":"FAUDE.Downselect.FEBeta","sha256":"5f0708914b9cebd186f48e5574f54fd01927c9a0d48c1941b01e84d8d14de8e6","file_type":36,"uuid":"11e0b0ef-c09f-441e-9a0d-d3fb1ed1a612"}, {"overall_weight":0,"anomaly_types":2048,"signature":"FAUDE.Downselect.FEBeta","sha256":"fd6dd07ea0814a073c437781f7fc85c2ed8e1ccc28e17f19a8f670e419d7f3a6","file_type":36,"uuid":"4fb4310b-61e5-4410-8e5b-b8c775878958"}, {"overall_weight":0,"anomaly_types":2048,"signature":"FAUDE.Downselect.FEBeta","sha256":"ac5de15540b5572e23828e227b800afb65b30f8783ea71d15b842e3f22fd45b8","file_type":36,"uuid":"679ee174-12f1-45df-9fdc-97c9eb53b7d4"}]

 

The return should be like below :

SHA256
babee76d75c74c527c3b836b143277b8d60e4300ab2ebfeb92ed41c6e4b044d3
5f0708914b9cebd186f48e5574f54fd01927c9a0d48c1941b01e84d8d14de8e6
fd6dd07ea0814a073c437781f7fc85c2ed8e1ccc28e17f19a8f670e419d7f3a6
etc
etc

Can someone help me please ?

Labels (3)
0 Karma
1 Solution

scelikok
Champion

Hi @chris95,

You can use below settings, this will extract a new "sha256" field as multivalue;

props.conf
[your_sourcetype]
REPORT-extract_sha256 = sha256_mv

transforms.conf
[sha256_mv]
REGEX = sha256\":\"(?<sha256>[^\"]+)
MV_ADD = true

 

If this reply helps you an upvote is appreciated.

If this reply helps you an upvote is appreciated.

View solution in original post

0 Karma

scelikok
Champion

Hi @chris95,

You can use below settings, this will extract a new "sha256" field as multivalue;

props.conf
[your_sourcetype]
REPORT-extract_sha256 = sha256_mv

transforms.conf
[sha256_mv]
REGEX = sha256\":\"(?<sha256>[^\"]+)
MV_ADD = true

 

If this reply helps you an upvote is appreciated.

If this reply helps you an upvote is appreciated.

View solution in original post

0 Karma

chris95
Engager

it works with your regex and the argument max_match=0 

thank you

0 Karma