Splunk Search

How to extract multiple values from a single value in a field?

xoamanda12xo
Explorer

I have a field called "Risk Type" that has categorical data associated with the type of risk of an event. For example, for one event it might say "Type - Network", but for another event that has more than one risk type it will say "Type - Network Type - USB Type - Data" where the three risk types are in a single value. What I want to do is to extract each type as a separate value, so for event X there would be three entries for each type. Ex: Event X Type - Network

Event X Type - USB

Event X Type - Data

I tried doing mvexpand but this did not separate each type into multiple values. I also thought of using the rex command but I do not know what the regular expression would be to do this. How do I accomplish this?

Labels (6)
0 Karma
1 Solution

shivanshu1593
Builder

Try the following. Should give you what you're looking for.

 

 

| rex max_match=0 field=risk_type "(?<risk_type>Type(?:(?!Type)[\s\S])*)"
| mvexpand risk_type

 

 

 

###If this helps, kindly consider an upvote/accepting as an answer###

Thank you,
Shiv
###If you found the answer helpful, kindly consider upvoting/accepting it as the answer as it helps other Splunkers find the solutions to similar issues###

View solution in original post

shivanshu1593
Builder

Try the following. Should give you what you're looking for.

 

 

| rex max_match=0 field=risk_type "(?<risk_type>Type(?:(?!Type)[\s\S])*)"
| mvexpand risk_type

 

 

 

###If this helps, kindly consider an upvote/accepting as an answer###

Thank you,
Shiv
###If you found the answer helpful, kindly consider upvoting/accepting it as the answer as it helps other Splunkers find the solutions to similar issues###

xoamanda12xo
Explorer

Thanks, this helped alot. Do you know how to extract a sentence? For example if the risk type was Type - Monitor User Activity Type - USB I would want a value with: "Type - Monitor User Activity" and "Type - USB". This solution only gives me "Type - Monitor" in this scenario

0 Karma

shivanshu1593
Builder

I've updated the regex above. Please try that. Should extract the sentences that you listed as examples. If it needs more modification, kindly share some sample data to create an accurate regex.

###If it helps, kindly consider mark as accepted answer###

 

 

Thank you,
Shiv
###If you found the answer helpful, kindly consider upvoting/accepting it as the answer as it helps other Splunkers find the solutions to similar issues###

richgalloway
SplunkTrust
SplunkTrust

The rex command will work.  Just provide a regex for a single match and include the max_match=0 option and rex will return multiple hits.

| rex max_match=0 field='Risk Type' "Type - (?<riskType>\w+)"
---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

Why You Can't Miss .conf25: Unleashing the Power of Agentic AI with Splunk & Cisco

The Defining Technology Movement of Our Lifetime The advent of agentic AI is arguably the defining technology ...

Deep Dive into Federated Analytics: Unlocking the Full Power of Your Security Data

In today’s complex digital landscape, security teams face increasing pressure to protect sprawling data across ...

Your summer travels continue with new course releases

Summer in the Northern hemisphere is in full swing, and is often a time to travel and explore. If your summer ...