Solved: Hi! I would like to create a field extraction of a... - Page 2

kisfoldik · ‎06-28-2017

This is a typical relevant line from logs:

[28/Jun/2017:07:26:04 -0400] conn=9354 op=7 msgId=8 - SRCH base="o=company" scope=2 filter="(&(|(objectclass=mailgroup)(objectclass=person)(objectclass=alias))(!(objectclass=moderatedgroup))(mailalternateaddress=owner-john.doe@company.com))" attrs="cn uid mailaddress uniquemember"

The "attrs=" is the required text and the "cn uid mailaddress uniquemember" -attributes would need to be extracted separetly..the space is the delimiter between them. With the wizard I only able to select one of them. But I need to count them one by one .... | chart count by host,attrib_extraction
Thanks!

javiergn · ‎06-28-2017

Hi,

So assuming your key value extraction is working fine and there is an attribute named attrs already then you can simply do:

| eval attrib_extraction = split(attrs, " ")

If that's not the case you can extract key value pairs from your raw data using the kv command.
Alternatively a simple regex like the following should do the trick too:

| rex "attrs=\"(?<attrib_extraction_all>[^\"]+)\""
| rex max_match=0 field=attrib_extraction_all "(?<attrib_extraction>\S+)"

If you then need to expand this multivalued field simply do:

| mvexpand attrib_extraction

Hope that helps.

Thanks,
J

View solution in original post

Hi! I would like to create a field extraction of a multi-valued field.

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!