Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Is it possible to match one or more values to one ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So I have log entries like the follow:
557 <134> 2016-04-20T10:33:05-04:00 PulseSecure: id=firewall time="2016-04-20 10:33:05" pri=6 fw=10.0.1.21 vpn=sa-node0 user=agarrison realm="DOMAIN.NET" roles="BASE-UI-SETTINGS, RDP-Test, VPN-REMOTEACCESS" proto=auth src=10.0.0.22 dst= dstname= type=vpn op= arg="" result= sent= rcvd= agent="Junos-Pulse/8.1 (Windows 10) Pulse/5.1" duration= msg="AUT24414: Agent login succeeded for agarrison from 10.165.251.22 with Junos-Pulse/8.1 (Windows 10) Pulse/5.1"
I would like to match all role values:
roles="BASE-UI-SETTINGS, RDP-Test, VPN-REMOTEACCESS"
Which there can be anywhere between 1-8 values depending on the user
Is it possible to create a regex that would capture one or more values for "roles" and assign them all to the variable "roles"? Instead of grabbing all of the values as a single value?
Currently I grab everything for roles and have to search it with wildcards because the values can be in different orders.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Assuming your field extraction is working and there is a field named roles with all the roles separated by comma:
your search here
| eval roles = split(roles, ",")
That will create a multivalued field that you can then use for different purposes. See this:
http://docs.splunk.com/Documentation/Splunk/latest/Search/Parsemultivaluefields
Should you had to extract the key value pairs for whatever reasons, do the following instead:
your search here
| extract
| eval roles = split(roles, ",")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Assuming your field extraction is working and there is a field named roles with all the roles separated by comma:
your search here
| eval roles = split(roles, ",")
That will create a multivalued field that you can then use for different purposes. See this:
http://docs.splunk.com/Documentation/Splunk/latest/Search/Parsemultivaluefields
Should you had to extract the key value pairs for whatever reasons, do the following instead:
your search here
| extract
| eval roles = split(roles, ",")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Have you tried the split() function? This will create a multi-value field (like an array) and you can use the multi-value functions to manipulate the data
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That works, but is it possible to perform a split at time of index?
Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA
.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...
A Season of Skills: New Splunk Courses to Light Up Your Learning Journey
