Solved: Re: How to extract multiple values for a field in ...

ssyed2009 · ‎02-21-2018

I am trying to extract both sha256 values from the event below but Splunk is only extracting the first value. How can I fix this?

2018-02-21T13:38:23+00:00 dummy.com amp_log: Info:   Compressed/Archive File: sha256 = 12345 MID = 0001, Extracted File: File Name = 'data', File Type = 'image/x-emf', sha256 = 567890, Disposition = FILE UNKNOWN, Response received from = Cloud, Malware = None, Reputation Score = 0, upload_action = 1

somesoni2 · ‎02-21-2018

Try this (on your search head(s). Splunk restart required)

props.conf

[yourSourceType]
REPORT-extractall = extractAllKV

transforms.conf

[extractAllKV]
REGEX = (\w+)\s*=(\s|\'|\")*([^,'\"\s]+)
FORMAT = $1::$2
MV_ADD = true

View solution in original post

somesoni2 · ‎02-21-2018

Try this (on your search head(s). Splunk restart required)

props.conf

[yourSourceType]
REPORT-extractall = extractAllKV

transforms.conf

[extractAllKV]
REGEX = (\w+)\s*=(\s|\'|\")*([^,'\"\s]+)
FORMAT = $1::$2
MV_ADD = true

493669 · ‎02-21-2018

Hi @somesoni2,
that's a good example! just one thing in FORMAT whether we need to write $1::$3 or does it work with $!::$2?

ssyed2009 · ‎02-27-2018

it did work with FORMAT = $1::$2

493669 · ‎02-21-2018

Hi @ssyed2009,
you need max_match=0 to match multiple events
try this:

...|rex max_match=0 "sha256\s*=\s*(?<sha>\d+)"

How to extract multiple values for a field in the same event using field extractions?

Introducing the Splunk Community Dashboard Challenge!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...