Solved: Re: How to split a field into multiple fields?

Minarai · ‎03-29-2023

Hi.

Lets say there are fields named "raw".

The values are like this.

http-header1=value1|http-header2=value2..

Number of HTTP Headers is 1 to 4.

ex)

METHOD=POST|User-Agent=Mozilla|HTTP-CONTENT=img/jpeg

I'd like to split this field into multiple fields like this.

field | value
----------------------+--------------
raw_http_header1 | value1
raw_http_header2 | value2

...

ex)

field | value

----------------------+--------------

raw_METHOD | POST

raw_User_Agent | Mozilla

raw_HTTP_CONTENT | img/jpeg

...

Notice field name cannot contain "-".

ITWhisperer · ‎04-01-2023

raw_User_Agent is null for eventID 2

This is how tables work! You have rows and columns. Where there is a value for the column it is shown for that row. The cell (row x column) doesn't simply disappear if there is not value to be shown, it is just blank.

View solution in original post

ITWhisperer · ‎03-30-2023

| makeresults
| fields - _time
| eval raw="METHOD=POST|User-Agent=Mozilla|HTTP-CONTENT=img/jpeg"
| eval raw=split(raw,"|")
| mvexpand raw
| rex field=raw "(?<field>[^=]+)=(?<value>.*)"
| eval field="raw_".replace(field,"-","_")

Minarai · ‎03-30-2023

Thanks a lot!

Sorry to bother you, but is there any way without using mvexpand?

When you use mvexpand, events are created separately,right?

I want add fields to oridinal event.

ITWhisperer · ‎03-30-2023

| makeresults
| fields - _time
| eval raw="METHOD=POST|User-Agent=Mozilla|HTTP-CONTENT=img/jpeg"
| rex field=raw max_match=0 "(?<field>[^=]+)=(?<value>[^\|]+)\|?"
| eval field=mvmap(field,"raw_".replace(field,"-","_"))

Minarai · ‎04-01-2023

Thank you for reply!

What I showed you as example was not good.

There are events like this.

index=index_main
| table eventID,raw

eventID	raw
1	METHOD=POST\|User-Agent=Mozilla\|HTTP-CONTENT=img/jpeg
2	METHOD=GET\|Referer=http://192.168.0.1
3	METHOD=POST\|X-Forwarded-For=10.0.0.1\|User-Agent=Firefox

The wanted result is like this.
I want to create new field which name is related http header.

eventID2 does not have User-Agent Header, so you do not add raw_User_Agent field.

...
| table eventID,raw*

eventID	raw	raw_METHOD	raw_User_Agent	raw_HTTP_CONTENT	raw_Referer	raw_X_Forwarded_For
1	METHOD=POST\|User-Agent=Mozilla\|HTTP-CONTENT=img/jpeg	POST	Mozilla	img/jpeg
2	METHOD=GET\|Referer=http://192.168.0.1	GET			http://192.168.0.1
3	METHOD=POST\|X-Forwarded-For=10.0.0.1\|User-Agent=Firefox	POST	Firefox			10.0.0.1

ITWhisperer · ‎04-01-2023

raw_User_Agent is null for eventID 2

This is how tables work! You have rows and columns. Where there is a value for the column it is shown for that row. The cell (row x column) doesn't simply disappear if there is not value to be shown, it is just blank.

bowesmana · ‎03-29-2023

Did you want something like this

| makeresults
| fields - _time
| eval _raw="METHOD=POST|User-Agent=Mozilla|HTTP-CONTENT=img/jpeg"
| extract
| fields - _kv _raw
| transpose 0 column_name="field"
| eval field="raw_".field
| rename "row 1" as value

which from the "extract" will create the field/value pairs and make two columns field and value

or did you want a single piece of text with the value separated with a pipe symbol

Minarai · ‎03-29-2023

Thanks for your reply.

What you showed was really good,

but I want add these fields to search result by using eval command or something.

ex

I want add "rawdata_method" field whose value is "POST".

Regards

bowesmana · ‎03-29-2023

i.e. this variant

| makeresults
| fields - _time
| eval _raw="METHOD=POST|User-Agent=Mozilla|HTTP-CONTENT=img/jpeg"
| rex field=_raw max_match=0 "(?<field>[^|]*)\|?"
| mvexpand field
| eval field="raw_".replace(field, "=", "|")
| fields - _raw

How to split a field into multiple fields?

fields

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...