Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Splunk Search
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to extract multiple values for multiple fields...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
vijax
Engager
12-03-2016
12:27 PM
Below is my mentioned sample event details. I want to extract fields into a table using regex operations.
I need to only get IN and OUT status.
status | license | username | machine
IN | lic_1 | user1 | WKS1xxxx
OUT | lic_2 | user2 | WKS1xxxx
IN | lic_3 | user3 | WKS1xxxx
Sample data:
15:21:54 (app1) DENIED: "lic_1" user1@WKS1xxxx (licenses are reserved for others. (-101,396:10054 ""))
15:21:54 (app1) DENIED: "lic_1" user1@WKS1xxxx (User/host not on INCLUDE list for feature. (-39,349:10054 ""))
15:21:54 (app1) DENIED: "lic_1" user1@WKS1xxxx (All licenses are reserved for others. (-101,396:10054 ""))
15:21:54 (app1) DENIED: "lic_1" user1@WKS1xxxx (User/host not on INCLUDE list for feature. (-39,349:10054 ""))
15:21:54 (app1) DENIED: "lic_1" user1@WKS1xxxx (All licenses are reserved for others. (-101,396:10054 ""))
15:21:54 (app1) DENIED: "lic_1" user1@WKS1xxxx (User/host not on INCLUDE list for feature. (-39,349:10054 ""))
15:21:54 (app1) OUT: "lic_1" user1@WKS1xxxx
15:21:54 (app1) UNSUPPORTED: "lic_2" (PORT_AT_HOST_PLUS ) user1@WKS1xxxx (License server system does not support this feature. (-18,327:10054 ""))
15:21:54 (app1) UNSUPPORTED: "lic_3" (PORT_AT_HOST_PLUS ) user1@WKS1xxxx (License server system does not support this feature. (-18,327:10054 ""))
15:21:54 (app1) UNSUPPORTED: "lic_2" (PORT_AT_HOST_PLUS ) user1@WKS1xxxx (License server system does not support this feature. (-18,327:10054 ""))
15:21:54 (app1) IN: "lic_3" user2@WKS2xxxx
15:22:04 (app1) IN: "lic_1" user1@WKS1xxxx
15:22:20 (app1) OUT: "lic_3" user3@WKS22xxx
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
gokadroid
Motivator
12-03-2016
06:51 PM
If each line is a single event above then @rich71777 's answer should hold good, however if more than one such lines exist per event then please give this a try:
your query to get the events
| rex max_match=0 field=_raw "(?<status>(IN|OUT)):\s*\"(?<license>[^\"]+)\"\s*(?<username>[^@]+)@(?<machine>[\S]+)"
| eval allValues=mvzip( status, mvzip(license, mvzip(username, machine, "~"), "~"), "~")
| mvexpand allValues
| rex field=allValues "(?<myStatus>[^~]+)~(?<myLicense>[^~]+)~(?<myUser>[^~]+)~(?<myMachine>.*)"
| table myStatus, myLicense, myUser, myMachine
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
gokadroid
Motivator
12-03-2016
06:51 PM
If each line is a single event above then @rich71777 's answer should hold good, however if more than one such lines exist per event then please give this a try:
your query to get the events
| rex max_match=0 field=_raw "(?<status>(IN|OUT)):\s*\"(?<license>[^\"]+)\"\s*(?<username>[^@]+)@(?<machine>[\S]+)"
| eval allValues=mvzip( status, mvzip(license, mvzip(username, machine, "~"), "~"), "~")
| mvexpand allValues
| rex field=allValues "(?<myStatus>[^~]+)~(?<myLicense>[^~]+)~(?<myUser>[^~]+)~(?<myMachine>.*)"
| table myStatus, myLicense, myUser, myMachine
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
chimell
Motivator
12-05-2016
03:22 AM
Hi
In gokadroid answer, replace
(?<license>[^"]+)
with
(?<license>[^\"]+)
to have a good answer. He forgot to escape " character
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
vijax
Engager
12-08-2016
06:26 AM
thanks all , gokadroid answer was great , and chimell pointed out the error. the final rex would include chimell changes
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
gokadroid
Motivator
12-08-2016
08:18 AM
Thanks @chimell and @vijax ...nice catch! Updated as per comments. Up vote for both of you for refining the answer.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Richfez
SplunkTrust
12-03-2016
05:45 PM
Try
... | rex "(?<status>(IN|OUT)):\s+"(?<license>[^"]*)"\s+(?<username>[^@]*)@(?<machine>.*)"
That should give you the fields you asked for on all lines that have the fields in them.
Get Updates on the Splunk Community!
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...
They're back! Join the SplunkTrust and MVP at .conf24
With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...
Enterprise Security Content Update (ESCU) | New Releases
Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...
