Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to field extract one or more times to the same field?

DEAD_BEEF
Builder
‎08-27-2019 04:31 PM

I am using a CDN and have obtained my DNS logs. Some of the DNS logs have multiple values for the field response ID and response. I am trying to make a field extraction for this but not sure how to write this to match "1 or more times". So in some cases, 1 log can have multiple response_id and response values. Can this be done via the GUI field extractions or does it HAVE TO be done via props/transforms as here and here?

In this case, I want to extract all the response ID's and responses ( 300:response) from the log below. The number of responses can vary (sometimes 1, sometimes 3, etc.). Six responses in the log snippet below.

sample log

394347 - 1566861761 26/08/2019 23:22:41,1.2.3.4,12345,mywebsite1.com,IN,NS,E,4096,D,,300:a8-cdm.com 300:a7-cdm.com 300:a16-cdm.com 300:a22-cdm.com 300:a1-cdm.com 300:a9-cdm.com

desired parsing

response_id   response
300           a8-cdm.com
300           a7-cdm.com
300           a16-cdm.com
300           a22-cdm.com
300           a1-cdm.com
300           a9-cdm.com

my regex (which isn't working)

(.*?,){10}((?<response_code_id>\d+):(?<response_code>[\.a-zA-Z0-9-]+)\s?){1,}
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎08-27-2019 05:32 PM

When extracting at search time, add max_match=0 to your rexcommand. That tells rex to accept unlimited matches.
When extracting at index time, add MV_ADD = true to your transforms.conf stanza.

In either case, the extracted data will be in a multi-value field and you will need to use mvexpand and similar commands to work with it.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎08-27-2019 05:32 PM

When extracting at search time, add max_match=0 to your rexcommand. That tells rex to accept unlimited matches.
When extracting at index time, add MV_ADD = true to your transforms.conf stanza.

In either case, the extracted data will be in a multi-value field and you will need to use mvexpand and similar commands to work with it.

---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...