Solved: Re: Eval from Multivalue field

ff170a · ‎11-07-2022

I have a dataset with a multiline field called Logs. The field typically has values like the below,

  "mId": "Null",
  "deviceID": "a398Z389j",
  "cSession": "443",
  "cWeb": "443",
  "uWeb": "Mixed",
  "s": "Steak",
  "Ing": [
    "1-555-5555555",
    "1-888-8888888"
  ],
  "Sem": [
    "Warehouse@Forest.box"
  ]

I'd like to make it so I can identify the values within "Ing" and easily search where a specific value is in "Ing" for other events. I was able to break it out and split on the comma and then look at the index number 6 but this only returns the 1st item, where in most events there are multiple (upwards of 10) items.

| eval a = mvindex(split(Logs,","), 6)

  "Ing": [
    "1-555-5555555"

Thoughts on how to get a complete list of the items in Ing?

johnhuang · ‎11-07-2022

Assuming that Ing values are always formatted as a phone number:

| rex field=Logs "\"(?<ing_values>\d\-\d{3}\-\d+)\""
| eval ing_6=MVINDEX(ing_values, 6)

View solution in original post

johnhuang · ‎11-07-2022

Assuming that Ing values are always formatted as a phone number:

| rex field=Logs "\"(?<ing_values>\d\-\d{3}\-\d+)\""
| eval ing_6=MVINDEX(ing_values, 6)

ff170a · ‎11-07-2022

Thanks for the response. The numbers do appear in a phone number format, but are not phone numbers.

If I use that rex on my data, I only get the first item in the ing field, and not all of the items, which is what I am trying to gather.

ff170a · ‎11-07-2022

Adding a max_match=10 resolved that issue. Looks like I got what I need. Thanks!

Help with Eval from Multivalue field?

field extraction

Can’t make it to .conf25? Join us online!

Calling All Security Pros: Ready to Race Through Boston?

Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...

Customer success is front and center at .conf25

Are you a member of the Splunk Community?