Solved: How can I extract a multi value field?

danielbb · ‎11-13-2019

We have a field called IP-Group. It can be empty or it would have this format - IP-Group={xxxx} {yyyy} {zzz}.

Can I extract it until the last } and maybe extract each value separately as well?

vnravikumar · ‎11-13-2019

Hi

Try this

| makeresults 
| eval temp="IP-Group={xxxx} {yyyy} {zzz}" 
| rex field=temp max_match=0 "\{(?P<result>[^}]+)"

View solution in original post

vnravikumar · ‎11-13-2019

Hi

Try this

| makeresults 
| eval temp="IP-Group={xxxx} {yyyy} {zzz}" 
| rex field=temp max_match=0 "\{(?P<result>[^}]+)"

danielbb · ‎11-14-2019

Great - this is slick!!!

codebuilder · ‎11-13-2019

If you are ingesting structured data like JSON or XML, then you can use set kvmode in props.conf for automatic kv field extraction.
I've not personally used it for JSON, but I do use it for XML and it works like a champ, including multi-value fields.

https://docs.splunk.com/Documentation/Splunk/8.0.0/Knowledge/Automatickey-valuefieldextractionsatsea...

----
An upvote would be appreciated and Accept Solution if it helps!

ololdach · ‎11-13-2019

Hi,
please try this:

|makeresults|eval IP-Group="{ip1} {ip2} {ip3} {ip4}"|makemv delim=" " IP-Group | mvexpand IP-Group | rex field=IP-Group "\{(?<ipvalue>.*)\}

You want to have one event per ip value, because the length of your list is dynamic and there is no other way that comes to my mind to parse a variable number of values from a list.
Hope it helps
Oliver

ololdach · ‎11-13-2019

Sorry, cut & paste error 🙂 forgot to paste the final "

danielbb · ‎11-13-2019

I get *Unbalanced quotes. * on that.

mayurr98 · ‎11-13-2019

"\{(?<ipvalue>.*)\}" change
add " at the end

danielbb · ‎11-13-2019

Great! looks good.

mayurr98 · ‎11-13-2019

try this:

| makeresults 
| eval xx="IP-Group={xxxx} {yyyy} {zzz}" 
| rex field=xx "IP-Group=\{(?<x>[^\}]+)\}\s+\{(?<y>[^\}]+)\}\s+\{(?<z>[^\}]+)"

danielbb · ‎11-13-2019

The following does it -

| makeresults 
| eval xx="IP-Group={xxxx} {yyyy} {zzz}" 
| rex field=xx "IP-Group=(?<yy>.+\})"

But can we generate a distinct field for each value?

FrankVl · ‎11-13-2019

Distinct fields as in, ipgroup1=xxx, ipgroup2=yyy, ipgroup3=zzz?

If the actual number of items in the multivalued field is dynamic, that is going to be pretty difficult to solve elegantly.

If the number of possible entries is somewhat limited (e.g. max 3) you can do it like this:

| rex field=xx "IP-Group=\{(?<ipgroup1>[^}]+)\}(?:\s+\{(?<ipgroup2>[^}]+)\})?(?:\s+\{(?<ipgroup3>[^}]+)\})?"

See: https://regex101.com/r/RSfFlu/1

This approach can be extended as far as you want, by just appending more (?:\s+\{(?<ipgroup...>[^}]+)\})? parts. But that gets a bit ugly if it can also be 100 entries.

How can I extract a multi value field?

Can’t make it to .conf25? Join us online!

Take Action Automatically on Splunk Alerts with Red Hat Ansible Automation Platform

Calling All Security Pros: Ready to Race Through Boston?

Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...

Are you a member of the Splunk Community?

How can I extract a multi value field?

Can’t make it to .conf25? Join us online!

Take Action Automatically on Splunk Alerts with Red Hat Ansible Automation Platform

Calling All Security Pros: Ready to Race Through Boston?

Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...