How can I extract fields as an array?

GersonGarcia · ‎10-03-2017

Dear friends,

I have one event in my log file that my user want to extract fields as an array. The event is:

RequestTime="14 Sep 2017 23:59:47.819" RequesterIP="10.108.18.9" HTTPDThreadID="@http-0.0.0.0-3043-6" RequestType="AddMeterReadJob" RequestLen="2755" RequestTimeUnix="1505433587.819" ResponseType="JobIDResponse" ResponseLen="3652" ResponseTimeUnix="1505433587.866" ResponseTime="14 Sep 2017 23:59:47.866" ElapsedTime="0.047" OpenThreadCount="0" RequestXML='<urn:AddMeterReadJob xmlns:urn="urn:com:ssn:schema:service:v1.9:JobManager.xsd" AutoActivate="true"><urn:JobInfo><urn:Name>MeterInquiry_MeterRead_SYNC</urn:Name></urn:JobInfo><urn:MeterReadJob><urn:DeviceMacID>00:13:50:03:00:42:3a:ce</urn:DeviceMacID><urn:DeviceMacID>00:13:50:03:00:48:05:1e</urn:DeviceMacID><urn:DeviceMacID>00:13:50:03:00:49:88:7a</urn:DeviceMacID><urn:DeviceMacID>00:13:50:03:00:48:31:bc</urn:DeviceMacID><urn:DeviceMacID>00:13:50:03:00:48:15:21</urn:DeviceMacID><urn:DeviceMacID>00:13:50:03:00:42:2c:3f</urn:DeviceMacID><urn:DeviceMacID>00:13:50:03:00:48:14:a9</urn:DeviceMacID><urn:DeviceMacID>00:13:50:03:00:48:3f:2f</urn:DeviceMacID><urn:DeviceMacID>00:13:50:03:00:44:0d:16</urn:DeviceMacID><urn:DeviceMacID>00:13:50:03:00:47:fb:8f</urn:DeviceMacID><urn:DeviceMacID>00:13:50:03:00:48:fc:63</urn:DeviceMacID><urn:DeviceMacID>00:13:50:03:00:43:8c:3c</urn:DeviceMacID><urn:DeviceMacID>00:13:50:03:00:3b:14:d3</urn:DeviceMacID><urn:DeviceMacID>00:13:50:03:00:48:fb:8c</urn:DeviceMacID><urn:DeviceMacID>00:13:50:03:00:3a:ef:90</urn:DeviceMacID><urn:DeviceMacID>00:13:50:03:00:3b:10:32</urn:DeviceMacID><urn:DeviceMacID>00:13:50:03:00:3e:b1:c3</urn:DeviceMacID><urn:DeviceMacID>00:13:50:03:00:3b:0b:90</urn:DeviceMacID><urn:DeviceMacID>00:13:50:03:00:48:f6:61</urn:DeviceMacID><urn:DeviceMacID>00:13:50:03:00:3d:1a:d9</urn:DeviceMacID><urn:DeviceMacID>00:13:50:03:00:61:fa:f9</urn:DeviceMacID><urn:DeviceMacID>00:13:50:03:00:48:fc:38</urn:DeviceMacID><urn:DeviceMacID>00:13:50:03:00:3c:23:74</urn:DeviceMacID><urn:DeviceMacID>00:13:50:03:00:3e:5e:b3</urn:DeviceMacID><urn:DeviceMacID>00:13:50:03:00:49:05:45</urn:DeviceMacID><urn:DeviceMacID>00:13:50:03:00:3b:14:a7</urn:DeviceMacID><urn:DeviceMacID>00:13:50:03:00:42:bf:09</urn:DeviceMacID><urn:DeviceMacID>00:13:50:03:00:42:6f:bd</urn:DeviceMacID><urn:DeviceMacID>00:13:50:03:00:47:70:a0</urn:DeviceMacID><urn:DeviceMacID>00:13:50:03:00:3e:a1:27</urn:DeviceMacID><urn:DeviceMacID>00:13:50:03:00:43:8c:46</urn:DeviceMacID><urn:DeviceMacID>00:13:50:03:00:42:c9:c8</urn:DeviceMacID><urn:DeviceMacID>00:13:50:03:00:48:fb:e8</urn:DeviceMacID><urn:DeviceMacID>00:13:50:03:00:40:d2:11</urn:DeviceMacID><urn:DeviceMacID>00:13:50:03:00:48:e1:ae</urn:DeviceMacID><urn:DeviceMacID>00:13:50:03:00:41:fd:6f</urn:DeviceMacID><urn:DeviceMacID>00:13:50:03:00:48:fb:65</urn:DeviceMacID><urn:MeterReadType><urn1:Name xmlns:urn1="urn:com:ssn:schema:service:v1.9:CommonEnumerations.xsd">JOB_OP_REGISTER_CURR_READ</urn1:Name></urn:MeterReadType><urn:NumberRetries>0</urn:NumberRetries><urn:Priority><urn1:Name xmlns:urn1="urn:com:ssn:schema:service:v1.9:CommonEnumerations.xsd">JOB_PRIORITY_HIGH</urn1:Name></urn:Priority></urn:MeterReadJob><urn:Schedule><urn:Immediate/></urn:Schedule><JobID>208115248</JobID></urn:AddMeterReadJob>'

I need to be able to get a list of urn:DeviceMacID and be able to manipulate them as field.

Is there any way?

Thank you

Gerson Garcia

richgalloway · ‎10-03-2017

Here's one way.

<your base search> | rex field=RequestXML max_match=0 "\<urn:DeviceMacID>(?<DeviceMacID>[^\<]*)" | mvexpand DeviceMacID | ...

---
If this reply helps you, Karma would be appreciated.

How can I extract fields as an array?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

Join the Conversation

How can I extract fields as an array?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...