Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to extract all values for a single field using rex?

harshal_chakran
Builder
‎02-04-2015 07:50 AM

Hi,
I have a log file from which I am trying to extract a value of the specific term "Security ID".
My data is divided in two events, as follows:

EVENT 1:

waterfall:
    Security ID:     NULL SID
    Data Language:   -
    Data Syntax:     -
    Data ID:         0x0

Data Type:         3

New Interface:
    Security ID:     QWERTY\ts123654
    Data Language:   ts123654
    Data Syntax:     QWERTY
    Data ID:         0x17r2627u8
    Data GUID:     {00000000-0000-0000-0000-000000000000}

EVENT 2 :

waterfall:
    Security ID:      ASDFGH\ts654321
    Data Language:  ts654321
    Data Syntax:      ASDFGH
    Data ID:          0x17r2612323
    Data GUID:      {00000000-0000-0000-0000-000000000000}

I want to extract the values of the term "Security ID" from the logs. To display the data in following manner:

NULL SID
QWERTY\ts123654
ASDFGH\ts654321

I have used the field extractor utility of Splunk, but not able to capture all the Security ID's.
Please Help...!!!

Tags (2)
Reply

wpreston
Motivator
‎02-04-2015 07:55 AM

Try this to see if it works:

... search terms here ... | rex "Security\sID:\s(?<Security_ID>.*)\sData\sLanguage"

If so, you can add the regular expression into your props.conf file to extract the field automatically.

Reply

wpreston
Motivator
‎02-09-2015 04:46 AM

No problem, happy to help!

0 Karma
Reply

KindaWorking
Path Finder
‎02-04-2015 02:28 PM

There are a couple of things that will not work for this. I believe the regular expression you are looking for is something like:

Security\sID:\s+(?<SecurityID>.*)\n

There is quite a bit of whitespace between Security ID: and the data he is hoping to grab. The thing that I do not know how to do (and am super keen to know how it can be done) is how to extract multiple values of the same field from a single event.

0 Karma
Reply

wpreston
Motivator
‎02-05-2015 05:03 AM

Getting past the extra white space is easy enough with a slightly modified regex (the extra white space and current formatting of the events with line breaks was not in the original post).

To extract multiple values of the same field from a single event, you need to add your extraction to transforms.conf and add MV_ADD = True, then either create a new report stanza or add to an existing report stanza in props.conf for the host, source, or sourcetype that the field is associated with. For this example, I'll use a sourcetype of 'waterfall':

transforms.conf

[Security_ID_Extraction]
REGEX = Security\sID:\s+(?<SecurityID>.*)\n
MV_ADD = True

props.conf

[waterfall]
REPORT-waterfall_fields = Security_ID_Extraction
Reply

KindaWorking
Path Finder
‎02-05-2015 01:43 PM

Cool, thanks for that wpreston. I know I did not ask the question but I had the exact same question I was going to ask.

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...