Re: Multi Valued Field Help

ghostdog920 · ‎05-02-2019

I have looked at a ton of posts about breaking a multivalued field but having zero luck effecting a solution. I have a csv file that i have imported into splunk. In one of the fields, it contains data like this:

Subject Name: Country: US State/Province: Virginia Locality: Glen Allen

I thought i could do field extractions to turn things like Country: into a field with the value of US, but no luck. I have looked at eval, split, regex, and mvexpand but can't seem to get the right combo/syntax to do what i want. Can someone lend me their expertise in resolving?

Ideally once i break this field up into its individual pieces i want to create a dashboard that check one of them and ties it to all its records. Worry for another day if i can't break up the field.

ghostdog920 · ‎05-06-2019

Thanks everyone for the responses. I was out of the office Friday and also today so will get back to playing with this tomorrow and let you know the status.

woodcock · ‎05-04-2019

OK, I am taking a long-shot here and guessing that you are on an older version of Splunk which displays newlines as spaces. Try this:

... | rex "(?ms)Country:[\r\n\s]+(?<Country>.*?)[\r\n\s]+State\/Province:[\r\n\s]+(?<State>.*?)[\r\n\s]+Locality:[\r\n\s]+(?<Locality>.*)$"

Sukisen1981 · ‎05-03-2019

Hi @ghostdog920 - please look at what you are pasting, you are corrupting the rex while pasting like what happend with me.

| makeresults 
 | eval plug_out="Subject Name: Country: US State/Province: Virginia Locality: Glen Allen" 
 | rex field=plug_out "Country:\s+(?<Country>.*?)\s+State\/Province:\s+(?<State>.*?)\s+Locality:\s+(?<Locality>.*)$"

Have a look at what you tried last for the country field - field=plug_out "Country:\s+(?.?) and for all subsequent fields. There is nothing between the 2 question marks after the brackets, thats why it is giving an error please copy the code above (try pasting to a notepad first) and check the code. ATM while pasting you are corrupting the rex while pasting

Sukisen1981 · ‎05-02-2019

| makeresults 
| eval plug_out="Subject Name: Country: US State/Province: Virginia Locality: Glen Allen" 
| rex field=plug_out "Country:\s+(?<Country>.*?)\s+State\/Province:\s+(?<State>.*?)\s+Locality:\s+(?<Locality>.*)$"

Sukisen1981 · ‎05-02-2019

there you go just copy and paste it this one line works...sorry i guess the code copy in the comments was eating out some stuff from the rex

Sukisen1981 · ‎05-02-2019

if this works as it should all you need to do is append index=nessus|rename "Plugin Output" as plug_out before the rex , remove makeresults & the hard coded eval

ghostdog920 · ‎05-07-2019

Got this working (or at least not erroring) after I appended the index|rename as needed. I get a raw event dump and the regex fields still aren't listed in the "interesting fields" section as I would expect, but perhaps they wouldn't be?

ghostdog920 · ‎05-02-2019

Still no go. Thanks for all your help with this though as i wouldn't have gotten this far without you.

ghostdog920 · ‎05-02-2019

Tried this:
index=nessus| makeresults |eval plug_out="Subject Name: Country: US State/Province: Virginia Locality: Glen Allen" | rex field=plug_out "Country:\s+(?.?)\s+State\/Province:\s+(?.?)\s+Locality:\s+(?.*)$"

And got this:
Error in 'rex' command: Encountered the following error while compiling the regex 'Country:\s+(?.?)\s+State\/Province:\s+(?.?)\s+Locality:\s+(?.*)$': Regex: unrecognized character after (? or (?-
The search job has failed due to an error. You may be able view the job in the Job Inspector.

ghostdog920 · ‎05-02-2019

So sorry, thought i responded back. I tried this:

index=nessus| makeresults |eval plug_out="Subject Name: Country: US State/Province: Virginia Locality: Glen Allen" | rex field=plug_out "Country:\s+(?.?)\s+State\/Province:\s+(?.?)\s+Locality:\s+(?.*)$"

And i got this output:

Error in 'rex' command: Encountered the following error while compiling the regex 'Country:\s+(?.?)\s+State\/Province:\s+(?.?)\s+Locality:\s+(?.*)$': Regex: unrecognized character after (? or (?-
The search job has failed due to an error. You may be able view the job in the Job Inspector.

Thoughts on where i messed up?

Sukisen1981 · ‎05-02-2019

wait a sec its copying out incorrectly from my splunk browser to here

Sukisen1981 · ‎05-02-2019

remove the quotes you put ahead of plug_out in the rex , copy and paste this | makeresults |eval plug_out="Subject Name: Country: US State/Province: Virginia Locality: Glen Allen" | rex field=plug_out "Country:\s+(?.*?)\s+State\/Province:\s+(?.*?)\s+Locality:\s+(?.*)$"

Sukisen1981 · ‎05-02-2019

this will give you a 1 line sample output , is this what you need but for all lines of your csv?

woodcock · ‎05-02-2019

Like this:

... | rex "Country:\s+(?<Country>.*?)\s+State\/Province:\s+(?<State>.*?)\s+Locality:\s+(?<Locality>.*)$"

ghostdog920 · ‎05-02-2019

ghostdog920 · ‎05-02-2019

Is this legible enough?

Sukisen1981 · ‎05-02-2019

Try index=nessus|rename "Plugin Output" as plug_out| rex field=_plug_out"Country:\s+(?<Country>.*?)\s+State\/Province:\s+(?<State>.*?)\s+Locality:\s+(?<Locality>.*)$"

@woodcock 's rex is correct and will work. check using table

ghostdog920 · ‎05-02-2019

Ok, unfortunately I do not see those "fields" if you will on the left side nav bar, nor does the table output anything other than the headers with no data.

woodcock · ‎05-02-2019

Show us 1 full sample event and also the SPL that you are using.

ghostdog920 · ‎05-02-2019

WIth this expression, and excuse my ignorance, the rex creates extractions that go where? Or maybe a better way to ask is if i do that and don't see fields created for the attributes, how do i reference those rex values for a table (as an example)?

Multi Valued Field Help

New Case Study Shows the Value of Partnering with Splunk Academic Alliance

How to Monitor Google Kubernetes Engine (GKE)

Index This | How can you make 45 using only 4?