So I have log entries like the follow:
557 <134> 2016-04-20T10:33:05-04:00 PulseSecure: id=firewall time="2016-04-20 10:33:05" pri=6 fw=10.0.1.21 vpn=sa-node0 user=agarrison realm="DOMAIN.NET" roles="BASE-UI-SETTINGS, RDP-Test, VPN-REMOTEACCESS" proto=auth src=10.0.0.22 dst= dstname= type=vpn op= arg="" result= sent= rcvd= agent="Junos-Pulse/8.1 (Windows 10) Pulse/5.1" duration= msg="AUT24414: Agent login succeeded for agarrison from 10.165.251.22 with Junos-Pulse/8.1 (Windows 10) Pulse/5.1"
I would like to match all role values:
roles="BASE-UI-SETTINGS, RDP-Test, VPN-REMOTEACCESS"
Which there can be anywhere between 1-8 values depending on the user
Is it possible to create a regex that would capture one or more values for "roles" and assign them all to the variable "roles"? Instead of grabbing all of the values as a single value?
Currently I grab everything for roles and have to search it with wildcards because the values can be in different orders.
Assuming your field extraction is working and there is a field named roles with all the roles separated by comma:
your search here
| eval roles = split(roles, ",")
That will create a multivalued field that you can then use for different purposes. See this:
http://docs.splunk.com/Documentation/Splunk/latest/Search/Parsemultivaluefields
Should you had to extract the key value pairs for whatever reasons, do the following instead:
your search here
| extract
| eval roles = split(roles, ",")
Assuming your field extraction is working and there is a field named roles with all the roles separated by comma:
your search here
| eval roles = split(roles, ",")
That will create a multivalued field that you can then use for different purposes. See this:
http://docs.splunk.com/Documentation/Splunk/latest/Search/Parsemultivaluefields
Should you had to extract the key value pairs for whatever reasons, do the following instead:
your search here
| extract
| eval roles = split(roles, ",")
Have you tried the split()
function? This will create a multi-value field (like an array) and you can use the multi-value functions to manipulate the data
That works, but is it possible to perform a split at time of index?