Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to extract all values for a single field using rex?

harshal_chakran
Builder
‎02-04-2015 07:50 AM

Hi,
I have a log file from which I am trying to extract a value of the specific term "Security ID".
My data is divided in two events, as follows:

EVENT 1:

waterfall:
    Security ID:     NULL SID
    Data Language:   -
    Data Syntax:     -
    Data ID:         0x0

Data Type:         3

New Interface:
    Security ID:     QWERTY\ts123654
    Data Language:   ts123654
    Data Syntax:     QWERTY
    Data ID:         0x17r2627u8
    Data GUID:     {00000000-0000-0000-0000-000000000000}

EVENT 2 :

waterfall:
    Security ID:      ASDFGH\ts654321
    Data Language:  ts654321
    Data Syntax:      ASDFGH
    Data ID:          0x17r2612323
    Data GUID:      {00000000-0000-0000-0000-000000000000}

I want to extract the values of the term "Security ID" from the logs. To display the data in following manner:

NULL SID
QWERTY\ts123654
ASDFGH\ts654321

I have used the field extractor utility of Splunk, but not able to capture all the Security ID's.
Please Help...!!!

Tags (2)
Reply

wpreston
Motivator
‎02-04-2015 07:55 AM

Try this to see if it works:

... search terms here ... | rex "Security\sID:\s(?<Security_ID>.*)\sData\sLanguage"

If so, you can add the regular expression into your props.conf file to extract the field automatically.

Reply

wpreston
Motivator
‎02-09-2015 04:46 AM

No problem, happy to help!

0 Karma
Reply

KindaWorking
Path Finder
‎02-04-2015 02:28 PM

There are a couple of things that will not work for this. I believe the regular expression you are looking for is something like:

Security\sID:\s+(?<SecurityID>.*)\n

There is quite a bit of whitespace between Security ID: and the data he is hoping to grab. The thing that I do not know how to do (and am super keen to know how it can be done) is how to extract multiple values of the same field from a single event.

0 Karma
Reply

wpreston
Motivator
‎02-05-2015 05:03 AM

Getting past the extra white space is easy enough with a slightly modified regex (the extra white space and current formatting of the events with line breaks was not in the original post).

To extract multiple values of the same field from a single event, you need to add your extraction to transforms.conf and add MV_ADD = True, then either create a new report stanza or add to an existing report stanza in props.conf for the host, source, or sourcetype that the field is associated with. For this example, I'll use a sourcetype of 'waterfall':

transforms.conf

[Security_ID_Extraction]
REGEX = Security\sID:\s+(?<SecurityID>.*)\n
MV_ADD = True

props.conf

[waterfall]
REPORT-waterfall_fields = Security_ID_Extraction
Reply

KindaWorking
Path Finder
‎02-05-2015 01:43 PM

Cool, thanks for that wpreston. I know I did not ask the question but I had the exact same question I was going to ask.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...