I am trying to extract both sha256 values from the event below but Splunk is only extracting the first value. How can I fix this?
2018-02-21T13:38:23+00:00 dummy.com amp_log: Info: Compressed/Archive File: sha256 = 12345 MID = 0001, Extracted File: File Name = 'data', File Type = 'image/x-emf', sha256 = 567890, Disposition = FILE UNKNOWN, Response received from = Cloud, Malware = None, Reputation Score = 0, upload_action = 1
Try this (on your search head(s). Splunk restart required)
props.conf
[yourSourceType]
REPORT-extractall = extractAllKV
transforms.conf
[extractAllKV]
REGEX = (\w+)\s*=(\s|\'|\")*([^,'\"\s]+)
FORMAT = $1::$2
MV_ADD = true
Try this (on your search head(s). Splunk restart required)
props.conf
[yourSourceType]
REPORT-extractall = extractAllKV
transforms.conf
[extractAllKV]
REGEX = (\w+)\s*=(\s|\'|\")*([^,'\"\s]+)
FORMAT = $1::$2
MV_ADD = true
Hi @somesoni2,
that's a good example! just one thing in FORMAT
whether we need to write $1::$3
or does it work with $!::$2
?
it did work with FORMAT = $1::$2
Hi @ssyed2009,
you need max_match=0
to match multiple events
try this:
...|rex max_match=0 "sha256\s*=\s*(?<sha>\d+)"