Splunk Search

How to extract multiple values for a field in the same event using field extractions?

New Member

I am trying to extract both sha256 values from the event below but Splunk is only extracting the first value. How can I fix this?

2018-02-21T13:38:23+00:00 dummy.com amp_log: Info:   Compressed/Archive File: sha256 = 12345 MID = 0001, Extracted File: File Name = 'data', File Type = 'image/x-emf', sha256 = 567890, Disposition = FILE UNKNOWN, Response received from = Cloud, Malware = None, Reputation Score = 0, upload_action = 1
0 Karma
1 Solution

SplunkTrust
SplunkTrust

Try this (on your search head(s). Splunk restart required)

props.conf

[yourSourceType]
REPORT-extractall = extractAllKV

transforms.conf

[extractAllKV]
REGEX = (\w+)\s*=(\s|\'|\")*([^,'\"\s]+)
FORMAT = $1::$2
MV_ADD = true

View solution in original post

0 Karma

SplunkTrust
SplunkTrust

Try this (on your search head(s). Splunk restart required)

props.conf

[yourSourceType]
REPORT-extractall = extractAllKV

transforms.conf

[extractAllKV]
REGEX = (\w+)\s*=(\s|\'|\")*([^,'\"\s]+)
FORMAT = $1::$2
MV_ADD = true

View solution in original post

0 Karma

Super Champion

Hi @somesoni2,
that's a good example! just one thing in FORMAT whether we need to write $1::$3 or does it work with $!::$2?

0 Karma

New Member

it did work with FORMAT = $1::$2

0 Karma

Super Champion

Hi @ssyed2009,
you need max_match=0 to match multiple events
try this:

...|rex max_match=0 "sha256\s*=\s*(?<sha>\d+)"