Splunk Search

How to extract multiple values for multiple fields from my sample multiline event using rex?

vijax
Engager

Below is my mentioned sample event details. I want to extract fields into a table using regex operations.

I need to only get IN and OUT status.

status  |  license  |  username  |  machine

IN      |  lic_1    |  user1     |  WKS1xxxx
OUT     |  lic_2    |  user2     |  WKS1xxxx
IN      |  lic_3    |  user3     |  WKS1xxxx

Sample data:

15:21:54 (app1) DENIED: "lic_1" user1@WKS1xxxx  (licenses are reserved for others. (-101,396:10054 ""))
15:21:54 (app1) DENIED: "lic_1" user1@WKS1xxxx  (User/host not on INCLUDE list for feature. (-39,349:10054 ""))
15:21:54 (app1) DENIED: "lic_1" user1@WKS1xxxx  (All licenses are reserved for others. (-101,396:10054 ""))
15:21:54 (app1) DENIED: "lic_1" user1@WKS1xxxx  (User/host not on INCLUDE list for feature. (-39,349:10054 ""))
15:21:54 (app1) DENIED: "lic_1" user1@WKS1xxxx  (All licenses are reserved for others. (-101,396:10054 ""))
15:21:54 (app1) DENIED: "lic_1" user1@WKS1xxxx  (User/host not on INCLUDE list for feature. (-39,349:10054 ""))
15:21:54 (app1) OUT: "lic_1" user1@WKS1xxxx  
15:21:54 (app1) UNSUPPORTED: "lic_2" (PORT_AT_HOST_PLUS   ) user1@WKS1xxxx  (License server system does not support this feature. (-18,327:10054 ""))
15:21:54 (app1) UNSUPPORTED: "lic_3" (PORT_AT_HOST_PLUS   ) user1@WKS1xxxx  (License server system does not support this feature. (-18,327:10054 ""))
15:21:54 (app1) UNSUPPORTED: "lic_2" (PORT_AT_HOST_PLUS   ) user1@WKS1xxxx  (License server system does not support this feature. (-18,327:10054 ""))
15:21:54 (app1) IN: "lic_3" user2@WKS2xxxx  
15:22:04 (app1) IN: "lic_1" user1@WKS1xxxx  
15:22:20 (app1) OUT: "lic_3" user3@WKS22xxx
0 Karma
1 Solution

gokadroid
Motivator

If each line is a single event above then @rich71777 's answer should hold good, however if more than one such lines exist per event then please give this a try:

your query to get the events
| rex max_match=0 field=_raw "(?<status>(IN|OUT)):\s*\"(?<license>[^\"]+)\"\s*(?<username>[^@]+)@(?<machine>[\S]+)"
| eval allValues=mvzip( status, mvzip(license, mvzip(username, machine, "~"), "~"), "~")
| mvexpand allValues
| rex field=allValues "(?<myStatus>[^~]+)~(?<myLicense>[^~]+)~(?<myUser>[^~]+)~(?<myMachine>.*)"
| table myStatus, myLicense, myUser, myMachine

View solution in original post

gokadroid
Motivator

If each line is a single event above then @rich71777 's answer should hold good, however if more than one such lines exist per event then please give this a try:

your query to get the events
| rex max_match=0 field=_raw "(?<status>(IN|OUT)):\s*\"(?<license>[^\"]+)\"\s*(?<username>[^@]+)@(?<machine>[\S]+)"
| eval allValues=mvzip( status, mvzip(license, mvzip(username, machine, "~"), "~"), "~")
| mvexpand allValues
| rex field=allValues "(?<myStatus>[^~]+)~(?<myLicense>[^~]+)~(?<myUser>[^~]+)~(?<myMachine>.*)"
| table myStatus, myLicense, myUser, myMachine

View solution in original post

chimell
Motivator

Hi

In gokadroid answer, replace

(?<license>[^"]+)  

with

 (?<license>[^\"]+)

to have a good answer. He forgot to escape " character

vijax
Engager

thanks all , gokadroid answer was great , and chimell pointed out the error. the final rex would include chimell changes

gokadroid
Motivator

Thanks @chimell and @vijax ...nice catch! Updated as per comments. Up vote for both of you for refining the answer.

0 Karma

Richfez
SplunkTrust
SplunkTrust

Try

 ... | rex "(?<status>(IN|OUT)):\s+"(?<license>[^"]*)"\s+(?<username>[^@]*)@(?<machine>.*)" 

That should give you the fields you asked for on all lines that have the fields in them.

Link to regex101 sample

Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.