Splunk Search

Multi Valued Field Help

ghostdog920
Path Finder

I have looked at a ton of posts about breaking a multivalued field but having zero luck effecting a solution. I have a csv file that i have imported into splunk. In one of the fields, it contains data like this:

Subject Name: Country: US State/Province: Virginia Locality: Glen Allen 

I thought i could do field extractions to turn things like Country: into a field with the value of US, but no luck. I have looked at eval, split, regex, and mvexpand but can't seem to get the right combo/syntax to do what i want. Can someone lend me their expertise in resolving?

Ideally once i break this field up into its individual pieces i want to create a dashboard that check one of them and ties it to all its records. Worry for another day if i can't break up the field.

0 Karma

ghostdog920
Path Finder

Thanks everyone for the responses. I was out of the office Friday and also today so will get back to playing with this tomorrow and let you know the status.

0 Karma

woodcock
Esteemed Legend

OK, I am taking a long-shot here and guessing that you are on an older version of Splunk which displays newlines as spaces. Try this:

... | rex "(?ms)Country:[\r\n\s]+(?<Country>.*?)[\r\n\s]+State\/Province:[\r\n\s]+(?<State>.*?)[\r\n\s]+Locality:[\r\n\s]+(?<Locality>.*)$"
0 Karma

Sukisen1981
Champion

Hi @ghostdog920 - please look at what you are pasting, you are corrupting the rex while pasting like what happend with me.

| makeresults 
 | eval plug_out="Subject Name: Country: US State/Province: Virginia Locality: Glen Allen" 
 | rex field=plug_out "Country:\s+(?<Country>.*?)\s+State\/Province:\s+(?<State>.*?)\s+Locality:\s+(?<Locality>.*)$"

Have a look at what you tried last for the country field - field=plug_out "Country:\s+(?.?) and for all subsequent fields. There is nothing between the 2 question marks after the brackets, thats why it is giving an error please copy the code above (try pasting to a notepad first) and check the code. ATM while pasting you are corrupting the rex while pasting

0 Karma

Sukisen1981
Champion
| makeresults 
| eval plug_out="Subject Name: Country: US State/Province: Virginia Locality: Glen Allen" 
| rex field=plug_out "Country:\s+(?<Country>.*?)\s+State\/Province:\s+(?<State>.*?)\s+Locality:\s+(?<Locality>.*)$"
0 Karma

Sukisen1981
Champion

there you go just copy and paste it this one line works...sorry i guess the code copy in the comments was eating out some stuff from the rex

0 Karma

Sukisen1981
Champion

if this works as it should all you need to do is append index=nessus|rename "Plugin Output" as plug_out before the rex , remove makeresults & the hard coded eval

0 Karma

ghostdog920
Path Finder

Got this working (or at least not erroring) after I appended the index|rename as needed. I get a raw event dump and the regex fields still aren't listed in the "interesting fields" section as I would expect, but perhaps they wouldn't be?

0 Karma

ghostdog920
Path Finder

Still no go. Thanks for all your help with this though as i wouldn't have gotten this far without you.

alt text

0 Karma

ghostdog920
Path Finder

Tried this:
index=nessus| makeresults |eval plug_out="Subject Name: Country: US State/Province: Virginia Locality: Glen Allen" | rex field=plug_out "Country:\s+(?.?)\s+State\/Province:\s+(?.?)\s+Locality:\s+(?.*)$"

And got this:
Error in 'rex' command: Encountered the following error while compiling the regex 'Country:\s+(?.?)\s+State\/Province:\s+(?.?)\s+Locality:\s+(?.*)$': Regex: unrecognized character after (? or (?-
The search job has failed due to an error. You may be able view the job in the Job Inspector.

0 Karma

ghostdog920
Path Finder

So sorry, thought i responded back. I tried this:

index=nessus| makeresults |eval plug_out="Subject Name: Country: US State/Province: Virginia Locality: Glen Allen" | rex field=plug_out "Country:\s+(?.?)\s+State\/Province:\s+(?.?)\s+Locality:\s+(?.*)$"

And i got this output:

Error in 'rex' command: Encountered the following error while compiling the regex 'Country:\s+(?.?)\s+State\/Province:\s+(?.?)\s+Locality:\s+(?.*)$': Regex: unrecognized character after (? or (?-
The search job has failed due to an error. You may be able view the job in the Job Inspector.

Thoughts on where i messed up?

0 Karma

Sukisen1981
Champion

wait a sec its copying out incorrectly from my splunk browser to here

0 Karma

Sukisen1981
Champion

remove the quotes you put ahead of plug_out in the rex , copy and paste this | makeresults
|eval plug_out="Subject Name: Country: US State/Province: Virginia Locality: Glen Allen"
| rex field=plug_out "Country:\s+(?.*?)\s+State\/Province:\s+(?.*?)\s+Locality:\s+(?.*)$"

0 Karma

Sukisen1981
Champion

this will give you a 1 line sample output , is this what you need but for all lines of your csv?

0 Karma

woodcock
Esteemed Legend

Like this:

... | rex "Country:\s+(?<Country>.*?)\s+State\/Province:\s+(?<State>.*?)\s+Locality:\s+(?<Locality>.*)$"
0 Karma

ghostdog920
Path Finder

alt text

alt text

0 Karma

ghostdog920
Path Finder

Is this legible enough?

0 Karma

Sukisen1981
Champion

Try index=nessus|rename "Plugin Output" as plug_out| rex field=_plug_out"Country:\s+(?<Country>.*?)\s+State\/Province:\s+(?<State>.*?)\s+Locality:\s+(?<Locality>.*)$"

@woodcock 's rex is correct and will work. check using table

0 Karma

ghostdog920
Path Finder

Ok, unfortunately I do not see those "fields" if you will on the left side nav bar, nor does the table output anything other than the headers with no data.

0 Karma

woodcock
Esteemed Legend

Show us 1 full sample event and also the SPL that you are using.

0 Karma

ghostdog920
Path Finder

WIth this expression, and excuse my ignorance, the rex creates extractions that go where? Or maybe a better way to ask is if i do that and don't see fields created for the attributes, how do i reference those rex values for a table (as an example)?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...