Splunk Search

How to write the regex to extract these 2 fields from this result?

kranthi851
New Member

Hi all,

How to extract the fields UDP_PORT and TCP_PORT from this result?

FIXED_SEVERITY_3=10, FIXED_SEVERITY_2=14, CONFIRMED_SEVERITY_2=13, CONFIRMED_SEVERITY_3=9, CONFIRMED_SEVERITY_1=3, ACTIVE_SEVERITY_3=2, CONFIRMED_SEVERITY_4=1, ACTIVE_SEVERITY_1=1, SCAN_DURATION=1647, UDP_PORT=123, UDP_PORT=514, TCP_PORT=22, TCP_PORT=514, TCP_PORT=5520, TCP_PORT=8000, TOTAL_VULNS=46
Tags (2)
0 Karma
1 Solution

sundareshr
Legend

Like this

... | rex max_match=0 "UDP+PORT=(?<udp>\d+)" | rex max_match=0 "TCP_PORT=(?<tcp>\d+)" | eval z=mvzip(udp, tcp) | mvexpand z | table udp tcp

View solution in original post

0 Karma

richgalloway
SplunkTrust
SplunkTrust

One of these should do.

... | rex max_match=0 "UDP_PORT=(?<UPD_PORT>\d+)|TCP_PORT=(?<TCP_PORT>\d+)" | ...

... | extract mv_add=true kvdelim='=' pairdelim=',' | ...

Both will produce multi-value fields for each type of port, which you can then process using the mv* commands.

---
If this reply helps you, Karma would be appreciated.
0 Karma

sundareshr
Legend

Like this

... | rex max_match=0 "UDP+PORT=(?<udp>\d+)" | rex max_match=0 "TCP_PORT=(?<tcp>\d+)" | eval z=mvzip(udp, tcp) | mvexpand z | table udp tcp
0 Karma
Get Updates on the Splunk Community!

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!

A few months ago, we released Splunk Enterprise Security 8.0 for our cloud customers. Today, we are excited to ...

Logs to Metrics

Logs and Metrics Logs are generally unstructured text or structured events emitted by applications and written ...

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...