Splunk Search

Multi Valued Field Help

Path Finder

I have looked at a ton of posts about breaking a multivalued field but having zero luck effecting a solution. I have a csv file that i have imported into splunk. In one of the fields, it contains data like this:

Subject Name: Country: US State/Province: Virginia Locality: Glen Allen 

I thought i could do field extractions to turn things like Country: into a field with the value of US, but no luck. I have looked at eval, split, regex, and mvexpand but can't seem to get the right combo/syntax to do what i want. Can someone lend me their expertise in resolving?

Ideally once i break this field up into its individual pieces i want to create a dashboard that check one of them and ties it to all its records. Worry for another day if i can't break up the field.

0 Karma

Path Finder

Thanks everyone for the responses. I was out of the office Friday and also today so will get back to playing with this tomorrow and let you know the status.

0 Karma

Esteemed Legend

OK, I am taking a long-shot here and guessing that you are on an older version of Splunk which displays newlines as spaces. Try this:

... | rex "(?ms)Country:[\r\n\s]+(?<Country>.*?)[\r\n\s]+State\/Province:[\r\n\s]+(?<State>.*?)[\r\n\s]+Locality:[\r\n\s]+(?<Locality>.*)$"
0 Karma

Champion

Hi @ghostdog920 - please look at what you are pasting, you are corrupting the rex while pasting like what happend with me.

| makeresults 
 | eval plug_out="Subject Name: Country: US State/Province: Virginia Locality: Glen Allen" 
 | rex field=plug_out "Country:\s+(?<Country>.*?)\s+State\/Province:\s+(?<State>.*?)\s+Locality:\s+(?<Locality>.*)$"

Have a look at what you tried last for the country field - field=plug_out "Country:\s+(?.?) and for all subsequent fields. There is nothing between the 2 question marks after the brackets, thats why it is giving an error please copy the code above (try pasting to a notepad first) and check the code. ATM while pasting you are corrupting the rex while pasting

0 Karma

Champion
| makeresults 
| eval plug_out="Subject Name: Country: US State/Province: Virginia Locality: Glen Allen" 
| rex field=plug_out "Country:\s+(?<Country>.*?)\s+State\/Province:\s+(?<State>.*?)\s+Locality:\s+(?<Locality>.*)$"
0 Karma

Champion

there you go just copy and paste it this one line works...sorry i guess the code copy in the comments was eating out some stuff from the rex

0 Karma

Champion

if this works as it should all you need to do is append index=nessus|rename "Plugin Output" as plug_out before the rex , remove makeresults & the hard coded eval

0 Karma

Path Finder

Got this working (or at least not erroring) after I appended the index|rename as needed. I get a raw event dump and the regex fields still aren't listed in the "interesting fields" section as I would expect, but perhaps they wouldn't be?

0 Karma

Path Finder

Still no go. Thanks for all your help with this though as i wouldn't have gotten this far without you.

alt text

0 Karma

Path Finder

Tried this:
index=nessus| makeresults |eval plug_out="Subject Name: Country: US State/Province: Virginia Locality: Glen Allen" | rex field=plug_out "Country:\s+(?.?)\s+State\/Province:\s+(?.?)\s+Locality:\s+(?.*)$"

And got this:
Error in 'rex' command: Encountered the following error while compiling the regex 'Country:\s+(?.?)\s+State\/Province:\s+(?.?)\s+Locality:\s+(?.*)$': Regex: unrecognized character after (? or (?-
The search job has failed due to an error. You may be able view the job in the Job Inspector.

0 Karma

Path Finder

So sorry, thought i responded back. I tried this:

index=nessus| makeresults |eval plug_out="Subject Name: Country: US State/Province: Virginia Locality: Glen Allen" | rex field=plug_out "Country:\s+(?.?)\s+State\/Province:\s+(?.?)\s+Locality:\s+(?.*)$"

And i got this output:

Error in 'rex' command: Encountered the following error while compiling the regex 'Country:\s+(?.?)\s+State\/Province:\s+(?.?)\s+Locality:\s+(?.*)$': Regex: unrecognized character after (? or (?-
The search job has failed due to an error. You may be able view the job in the Job Inspector.

Thoughts on where i messed up?

0 Karma

Champion

wait a sec its copying out incorrectly from my splunk browser to here

0 Karma

Champion

remove the quotes you put ahead of plug_out in the rex , copy and paste this | makeresults
|eval plug_out="Subject Name: Country: US State/Province: Virginia Locality: Glen Allen"
| rex field=plug_out "Country:\s+(?.*?)\s+State\/Province:\s+(?.*?)\s+Locality:\s+(?.*)$"

0 Karma

Champion

this will give you a 1 line sample output , is this what you need but for all lines of your csv?

0 Karma

Esteemed Legend

Like this:

... | rex "Country:\s+(?<Country>.*?)\s+State\/Province:\s+(?<State>.*?)\s+Locality:\s+(?<Locality>.*)$"
0 Karma

Path Finder

alt text

alt text

0 Karma

Path Finder

Is this legible enough?

0 Karma

Champion

Try index=nessus|rename "Plugin Output" as plug_out| rex field=_plug_out"Country:\s+(?<Country>.*?)\s+State\/Province:\s+(?<State>.*?)\s+Locality:\s+(?<Locality>.*)$"

@woodcock 's rex is correct and will work. check using table

0 Karma

Path Finder

Ok, unfortunately I do not see those "fields" if you will on the left side nav bar, nor does the table output anything other than the headers with no data.

0 Karma

Esteemed Legend

Show us 1 full sample event and also the SPL that you are using.

0 Karma

Path Finder

WIth this expression, and excuse my ignorance, the rex creates extractions that go where? Or maybe a better way to ask is if i do that and don't see fields created for the attributes, how do i reference those rex values for a table (as an example)?

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!