Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Multivalue fields to Columns and values of a single event

Matioski7
Explorer
‎05-04-2021 06:26 AM

Hello,

I'm trying to show this event as a table:

 

 

2021-05-04 11:28:56.722, TIME="2021-05-04 11:28:56.722", ID="0a7a270b79341ba28179372363920a5d", CREATED="1620127736722", SOURCE="Group Aggregation", ACTION="entitlement_attribute_change", TARGET="CN=g-cvi_admin_test,OU=CVI,OU=Security,OU=Control Groups,DC=base,DC=dev", APPLICATION="AD Base Direct", ACCOUNT_NAME="memberOf", INSTANCE="003608aa42a7425793ea73cc7f9f8e65", ATTRIBUTE_NAME="msDS-PrincipalName", ATTRIBUTE_VALUE="BASEDEV\g-cvi_admin_test", ATTRIBUTES="<Attributes>
        <Map>
          <entry key="attributeName" value="msDS-PrincipalName"/>
          <entry key="newValue" value="BASEDEV\g-cvi_admin_test"/>
          <entry key="oldValue" value="BASEINT\g-cvi_admin_test"/>
        </Map>
</Attributes>
", STRING1="Change of group of value CN=g-cvi_admin_test,OU=CVI,OU=Security,OU=Control Groups,DC=base,DC=dev on AD Base Direct", STRING2="BASEINT\g-cvi_admin_test", STRING3="group"

 

 

I have all the fields extracted correctly  even the ATTRIBUTES:

 

 

<Attributes>
        <Map>
          <entry key="attributeName" value="msDS-PrincipalName"/>
          <entry key="newValue" value="BASEDEV\g-cvi_admin_test"/>
          <entry key="oldValue" value="BASEINT\g-cvi_admin_test"/>
        </Map>
</Attributes>

 

 

From this ATTRIBUTE field, thanks to:

 

 

|rex max_match=0 field=ATTRIBUTES "<entry key=\"(?<key_xml>[a-zA-Z0-9_]+?)\" value=\"(?<value_xml>[\s\S]+?)(?:\"\/>)"

 

 

From that I'm getting key_xml and value_xml as multivalues.

I would like to have key_xml as column names and value_xml as row cells of the corresponding keys.

Thanks to whomever can help me

 

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎05-04-2021 06:38 AM

@Matioski7 

 

You can try Dynamic eval for this with some magical multivalued commands . Please check my sample search for single event./ You can modify this as per your requirement.

 

| makeresults 
| eval ATTRIBUTES="<Attributes>
        <Map>
          <entry key=\"attributeName\" value=\"msDS-PrincipalName\"/>
          <entry key=\"newValue\" value=\"BASEDEV\g-cvi_admin_test\"/>
          <entry key=\"oldValue\" value=\"BASEINT\g-cvi_admin_test\"/>
        </Map>
</Attributes>" 
| rex max_match=0 field=ATTRIBUTES "<entry key=\"(?<key_xml>[a-zA-Z0-9_]+?)\" value=\"(?<value_xml>[\s\S]+?)(?:\"\/>)" 
| fields key_xml,value_xml 
| eval tmp = mvzip(key_xml,value_xml) 
| mvexpand tmp 
| eval key_xml=mvindex(split(tmp,","),0),value_xml=mvindex(split(tmp,","),1), {key_xml}=value_xml 
| fields - tmp,key_xml,value_xml
| stats values(*) as *

 

View solution in original post

Reply
Solved! Jump to solution
Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎05-04-2021 06:38 AM

@Matioski7 

 

You can try Dynamic eval for this with some magical multivalued commands . Please check my sample search for single event./ You can modify this as per your requirement.

 

| makeresults 
| eval ATTRIBUTES="<Attributes>
        <Map>
          <entry key=\"attributeName\" value=\"msDS-PrincipalName\"/>
          <entry key=\"newValue\" value=\"BASEDEV\g-cvi_admin_test\"/>
          <entry key=\"oldValue\" value=\"BASEINT\g-cvi_admin_test\"/>
        </Map>
</Attributes>" 
| rex max_match=0 field=ATTRIBUTES "<entry key=\"(?<key_xml>[a-zA-Z0-9_]+?)\" value=\"(?<value_xml>[\s\S]+?)(?:\"\/>)" 
| fields key_xml,value_xml 
| eval tmp = mvzip(key_xml,value_xml) 
| mvexpand tmp 
| eval key_xml=mvindex(split(tmp,","),0),value_xml=mvindex(split(tmp,","),1), {key_xml}=value_xml 
| fields - tmp,key_xml,value_xml
| stats values(*) as *

 

Reply
Solved! Jump to solution

Matioski7
Explorer
‎05-04-2021 06:54 AM

Thanks, it was very helpful.

But I still have an issue, the "fields -" is taking also all the other field extracted that I don't want to include, I would like to include only the one specified in key_xml field that of course is Dynamic and can change.

How can I prevent all the other fields to be shown

 

0 Karma
Reply
Solved! Jump to solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎05-04-2021 06:58 AM

You can allowed just required field.

like in this case we are using just ATTRIBUTES field. then after your base search just put 

| fields ATTRIBUTES

 

it will restrict all other fields.  

Reply
Solved! Jump to solution

Matioski7
Explorer
‎05-04-2021 07:07 AM

Working like a charm, Thanks a lot. You made my day.

0 Karma
Reply
Get Updates on the Splunk Community!

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

For Splunk Cloud customers, understanding and optimizing Splunk Virtual Compute (SVC) usage and resource ...

Automatic Discovery Part 3: Practical Use Cases

If you’ve enabled Automatic Discovery in your install of the Splunk Distribution of the OpenTelemetry ...