Solved: How to extract a field that appears several times,...

fmaldonado6441 · ‎03-19-2015

Hello community,

Can you give me a hand with the following case:

I have the following log and desire to extract a field that appears several times, but with different values for every event. The log is a sip server.

The field to be created is "via" with the respective values in front of each of them.

'Via' 'SIP/2.0/UDP 172.20.30.219;rport;branch=z9hG4bK915603406529843-AP;ft=172.20.30.219~13c4' 
'Via' 'SIP/2.0/UDP 172.20.30.218:15060;rport=15060;ibmsid=local.1423076844553_14140521_14153316;branch=z9hG4bK915603406529843' 
'Via' 'SIP/2.0/UDP 172.20.30.218:15060;rport;ibmsid=local.1423076844553_14140520_14153315;branch=z9hG4bK796372520547692' 
'Via' 'SIP/2.0/TLS 172.20.30.219;branch=z9hG4bK0fcbd45fcd1e41df3a54ebe9bc00-AP;ft=33364;received=172.20.30.219;rport=22178' 
'Via' 'SIP/2.0/TLS 172.20.30.41;branch=z9hG4bK0fcbd45fcd1e41df3a54ebe9bc00' 
'Via' 'SIP/2.0/TCP 172.20.30.33;branch=z9hG4bK0fcbd45fcd1e41df3a54ebe9bc00'

and within those same lines is the "branch" field that also has different values.

fmaldonado6441 · ‎03-30-2015

Hi,

The solution to my problem was given by adding the parameter "MV_ADD = 1" in the transforms.conf file, basically this parameter allowing to make is that extraction will not stop when it finds a match.

props.conf

[sip]
BREAK_ONLY_BEFORE = ^@
NO_BINARY_CHECK = true
disabled = false
REPORT-via-extract = via-extract

transforms.conf

[via-extract]
CLEAN_KEYS = 0
MV_ADD = 1
REGEX = 'Via'\s+'(?<sip_via>[^\']+)

Thank you all for your contributions.

View solution in original post

fmaldonado6441 · ‎03-30-2015

Hi,

The solution to my problem was given by adding the parameter "MV_ADD = 1" in the transforms.conf file, basically this parameter allowing to make is that extraction will not stop when it finds a match.

props.conf

[sip]
BREAK_ONLY_BEFORE = ^@
NO_BINARY_CHECK = true
disabled = false
REPORT-via-extract = via-extract

transforms.conf

[via-extract]
CLEAN_KEYS = 0
MV_ADD = 1
REGEX = 'Via'\s+'(?<sip_via>[^\']+)

Thank you all for your contributions.

chimell · ‎03-20-2015

Hi
You can use this search

 .... | rex field=_raw   "\'Via\'\s\'(?<value>.*)\'" | table value | rename value as via

Tell me if it satisfy you please

fmaldonado6441 · ‎03-20-2015

Thanks for your support, but it is not exactly what I'm looking for, is that a single event can have multiple lines with informacińo of "via" so the rex suggesting I only extracts the first match, what I want to achieve is to extract the value of the "via" field displays how many times per event.

stephanefotso · ‎03-30-2015

Means the sample data you gave bellow is a single event? if not, can you give a sample data, where we can see an event with several values of val?

SGF

fmaldonado6441 · ‎03-30-2015

That's right, what values are in the post are from a single event.

ramdaspr · ‎03-19-2015

.. | rex field=_raw "\'Via\'\s\'(?<viavalue>.*)\'"

viavalue would have the text between the single quote after via

fmaldonado6441 · ‎03-20-2015

Thanks for your support, but it is not exactly what I'm looking for, is that a single event can have multiple lines with informacińo of "via" so the rex suggesting I only extracts the first match, what I want to achieve is to extract the value of the "via" field displays how many times per event.

How to extract a field that appears several times, but with different values for every event?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?