Splunk Search

Multivalue field extraction

cdstealer
Contributor

Hi, I'm struggling to get this extracted correctly so it's usable.
The raw data is presented as:

    Privileges: SeSecurityPrivilege
            SeBackupPrivilege
            SeRestorePrivilege
            SeTakeOwnershipPrivilege
            SeDebugPrivilege
            SeSystemEnvironmentPrivilege
            SeLoadDriverPrivilege
            SeImpersonatePrivilege
            SeAssignPrimaryTokenPrivilege

By default, only the first entry is assigned to the field eg:

"SeSecurityPrivilege"

I can extract the remaining lines into the field using the regex "Privileges:\t(?P(\w+\s+|\t\t\t\w+\s+)+)", which returns this:

"SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege"

Now what I need is to split each of these into the Privileges field as separate values.

These values are not a static number of entries, so Privileges could contain anything between 1 and 10 lines.

Any advice would be great as the docs and answers I've read don't seem to help this situation.

TIA
Steve

1 Solution

somesoni2
SplunkTrust
SplunkTrust

Give this a try

index=main EventCode="576" |rex field=_raw "Privileges:\t(?P<Privileges>(\w+\s+|\t\t\t\w+\s+)+)" | rex field=Privileges max_match=0 "(?<Privilege>\S+)\s+" | mvexpand Privilege

View solution in original post

cdstealer
Contributor

Thanks to everyone that has offered help. Much appreciated.

0 Karma

alemarzu
Motivator

Hi cdstealer

Try to add this, after your field extraction.

main search | rex field=_raw ... | makemv delim=" " Privileges | mvexpand Privileges 

Hope it helps.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Give this a try

index=main EventCode="576" |rex field=_raw "Privileges:\t(?P<Privileges>(\w+\s+|\t\t\t\w+\s+)+)" | rex field=Privileges max_match=0 "(?<Privilege>\S+)\s+" | mvexpand Privilege

cdstealer
Contributor

Perfect! I think you've solved a couple of my past questions. So thank you very much again 🙂

0 Karma

cdstealer
Contributor

Hi again, Now I'm struggling transferring the search into props/transforms. I'm probably missing something simple.

props.conf:

EXTRACT-Privileges = Privileges:\t(?P<Privileges>(\w+\s+|\t\t\t\w+\s+)+)
REPORT-fields = privilege

transforms.conf:

[privilege]
SOURCE_KEY = Privileges
REGEX = "(?<privilege>\S+)\s+)
REPEAT_MATCH = true
MV_ADD = true

So the new field that contains the extracted values is not happening.

0 Karma

DavidHourani
Super Champion

Hello, did you manage to solve this ?

0 Karma

skawasaki_splun
Splunk Employee
Splunk Employee

You have an extra " in front of your REGEX in transforms.conf.

0 Karma

fdi01
Motivator

try :

  your_base_search|rex field=_raw "Privileges:\t(?P<Privileges>(\w+\s+|\t\t\t\w+\s+)+)"| eval Privileges=split(field_name_extraction, " ")| mvexpand Privileges|...
0 Karma

cdstealer
Contributor

Hi fdi01, Thanks. Unfortunately this does not change the output.

Steve

0 Karma

fdi01
Motivator

your rex |rex field=_raw "Privileges:\t(?P<Privileges>(\w+\s+|\t\t\t\w+\s+)+)"| capture all results in Privileges field ???

0 Karma

cdstealer
Contributor

This is what I'm getting.
alt text

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...