Solved: How to write the regex to extract these 2 fields f...

kranthi851 · ‎06-06-2016

Hi all,

How to extract the fields UDP_PORT and TCP_PORT from this result?

FIXED_SEVERITY_3=10, FIXED_SEVERITY_2=14, CONFIRMED_SEVERITY_2=13, CONFIRMED_SEVERITY_3=9, CONFIRMED_SEVERITY_1=3, ACTIVE_SEVERITY_3=2, CONFIRMED_SEVERITY_4=1, ACTIVE_SEVERITY_1=1, SCAN_DURATION=1647, UDP_PORT=123, UDP_PORT=514, TCP_PORT=22, TCP_PORT=514, TCP_PORT=5520, TCP_PORT=8000, TOTAL_VULNS=46

sundareshr · ‎06-06-2016

Like this

... | rex max_match=0 "UDP+PORT=(?<udp>\d+)" | rex max_match=0 "TCP_PORT=(?<tcp>\d+)" | eval z=mvzip(udp, tcp) | mvexpand z | table udp tcp

View solution in original post

richgalloway · ‎06-06-2016

One of these should do.

... | rex max_match=0 "UDP_PORT=(?<UPD_PORT>\d+)|TCP_PORT=(?<TCP_PORT>\d+)" | ...

... | extract mv_add=true kvdelim='=' pairdelim=',' | ...

Both will produce multi-value fields for each type of port, which you can then process using the mv* commands.

---
If this reply helps you, Karma would be appreciated.

sundareshr · ‎06-06-2016

Like this

... | rex max_match=0 "UDP+PORT=(?<udp>\d+)" | rex max_match=0 "TCP_PORT=(?<tcp>\d+)" | eval z=mvzip(udp, tcp) | mvexpand z | table udp tcp

How to write the regex to extract these 2 fields from this result?

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

Announcing the Migration of the Splunk Add-on for Microsoft Azure Inputs to ...

Splunk Observability for AI

Join the Conversation

How to write the regex to extract these 2 fields from this result?

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

Announcing the Migration of the Splunk Add-on for Microsoft Azure Inputs to ...

Splunk Observability for AI