Solved: How to separate field

Dalador · ‎03-31-2021

Hi, guys. I have a big trouble here.
I'm using rex to get ip-adresses.

|rex max_match=0 "(?P<ip0>((?:[0-9]{1,3}\.){3}[0-9]{1,3}.[0-9]{1,9}))"

field1:

255.255.255.255/1

255.255.255.255/2

255.255.255.255/3

255.255.255.255/4

How can i do this? Please, help 😞

I want to get something like this

field1:	field2:	field3:	field4:
255.255.255.255/1	255.255.255.255/2	255.255.255.255/3	255.255.255.255/4

scelikok · ‎03-31-2021

Hi @Dalador,

If every log contains four ip address you can try below;

| rex "(?P<ip1>(?:[0-9]{1,3}\.){3}[0-9]{1,3}.[0-9]{1,9}).+(?P<ip2>(?:[0-9]{1,3}\.){3}[0-9]{1,3}.[0-9]{1,9}).+(?P<ip3>(?:[0-9]{1,3}\.){3}[0-9]{1,3}.[0-9]{1,9}).+(?P<ip4>(?:[0-9]{1,3}\.){3}[0-9]{1,3}.[0-9]{1,9})"

If this reply helps you an upvote and "Accept as Solution" is appreciated.

View solution in original post

scelikok · ‎03-31-2021

Hi @Dalador,

If every log contains four ip address you can try below;

| rex "(?P<ip1>(?:[0-9]{1,3}\.){3}[0-9]{1,3}.[0-9]{1,9}).+(?P<ip2>(?:[0-9]{1,3}\.){3}[0-9]{1,3}.[0-9]{1,9}).+(?P<ip3>(?:[0-9]{1,3}\.){3}[0-9]{1,3}.[0-9]{1,9}).+(?P<ip4>(?:[0-9]{1,3}\.){3}[0-9]{1,3}.[0-9]{1,9})"

If this reply helps you an upvote and "Accept as Solution" is appreciated.

Dalador · ‎03-31-2021

yes, exactly what i need!
Thanks, didn't know that we can use rex like this..

rnowitzki · ‎03-31-2021

Hi @Dalador ,

Try to add :

| transpose

This would create columns based on your rows.

You will probably have to do some renaming and maybe filter some of the new rows, but it should give you what you are asking for.

Best Regards

Ralph

--
Karma and/or Solution tagging appreciated.

Dalador · ‎03-31-2021

Hi, Ralph
Close enough, but i want to get something like this

rnowitzki · ‎03-31-2021

This would give you numbered ip* columns

| transpose
| rename "row *" as ip*
| fields - column

This is a modified version of what @ITWhisperer suggested, which is more flexible than my simple transpose approach:

| rename ip0 as ip
| streamstats count as row
| eval row="ip".row
| eval {row}=ip
| stats values(ip*) as ip*

But answering these questions would really help to find a suitable solution 🙂

--
Karma and/or Solution tagging appreciated.

ITWhisperer · ‎03-31-2021

| makeresults | eval _raw="field1
255.255.255.255/1
255.255.255.255/2
255.255.255.255/3
255.255.255.255/4"
| multikv forceheader=1
| fields field1
| fields - _time _raw

| streamstats count as row
| eval row="field_".row
| eval {row}=field1
| stats values(field_*) as field*

Dalador · ‎03-31-2021

Thanks,
Unfortunately this is not working for me 😞
I want something like this:

ITWhisperer · ‎03-31-2021

You are probably going to have to give a bit more detail - is ip0 a multi-value field or are these separate events? are there other fields you want to keep? what is it about the suggestions that is not working for you?

Dalador · ‎03-31-2021

ip0 is a multi-value field, Sorry, i'm new to splunk and i try to do my best
i tried to add your solution to my search string and get empty results 😞
I want just this 4 ip adresses in separate columns, and add _time, i think

ITWhisperer · ‎03-31-2021

No worries - we all had to start somewhere!

| makeresults | eval _raw="ip0
255.255.255.255/1
255.255.255.255/2
255.255.255.255/3
255.255.255.255/4"
| multikv forceheader=1
| fields ip0
| fields - _raw
| stats values(ip0) as ip0 by _time


| mvexpand ip0
| streamstats count as row by _time
| eval row="ip".row
| eval {row}=ip0
| fields - ip0
| stats values(ip*) as ip* by _time

The part before the blank lines just set up the dummy data as a multi-value field

The mvexpand converts the multi-value field into separate events

Streamstats identifies the instance of the multi-value field the event came from

eval converts the count to a name for the resultant field

eval with {} uses the contents of the field (row) as the name of the resultant field

fields removes the original field

stats gathers the fields back into a row based on the original time of the event

Dalador · ‎03-31-2021

Yep, this almost looks like i want!
Thanks!
But, how to unite this two search? I tried to |eval _raw="ip0" and get no results

ITWhisperer · ‎03-31-2021

You don't need the makeresults part before the blank lines - these just set up some dummy data the demonstrate the bit after the blank lines

index=cisco ... | rex ....
| mvexpand ip0
| streamstats count as row by _time
| eval row="ip".row
| eval {row}=ip0
| fields - ip0
| stats values(ip*) as ip* by _time

Dalador · ‎03-31-2021

still doesn't work, return with job error

ITWhisperer · ‎03-31-2021

What is the error? Start with your initial search and keep adding lines one at a time to see where the error gets introduced

Dalador · ‎03-31-2021

Thank you, problem is solved

How to separate field

field extraction

fields

regex

rex

table

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM