Re: Remove punctuation from multivalue field and ...

atebysandwich · ‎03-28-2023

I'm pretty sure the answer to my question is regex but I'm not too savy with it.

I have a few values in an IP field formatted like the below example. How can I remove the [] , and ' and get each IP in its own event?

['10.1.1.1', '10.2.2.2']

richgalloway · ‎03-28-2023

It can be done without regex.

| makeresults | eval data="['10.1.1.1','10.2.2.2']"
``` Above defines test data.  Delete IRL ```
``` Break the IP addresses apart ```
| eval data=split(data,",") 
``` Put each IP address in its own event ```
| mvexpand data
``` Trim out excess chars ```
| eval data=trim(trim(data,"[]"), "'")

---
If this reply helps you, Karma would be appreciated.

yeahnah · ‎03-28-2023

Hi @atebysandwich

Here's a run anywhere example that will meet your needs

| makeresults
| eval IPs="['10.1.1.1', '10.2.2.2']"
  ``` above just creates dummy value ```
| rex field=IPs mode=sed "s/[\[\]']//g"   ``` strip unwanted characters to normalise the field ```
| eval IP=split(IPs, ", ")   ``` make the field a mutlivalue field ```
| mvexpand IP    ``` expand each value to an event ```

Hope this helps

atebysandwich · ‎03-28-2023

While using your suggestion, the "dummy" data in line two of your suggestion made each event have the same two IPS while the lookup had over 7k. However, I was able to us eth regex and other example of regex to remove the spaces and achieve what I wanted.

| rex field=IP mode=sed "s/[\[\]']//g"
| makemv IP delim="," 
| rex field=IP mode=sed "s/(^\s+)|(\s+$)//g"
| mvexpand IP

Removing punctuation from multivalue field and put value in own event?

fields

regex

rex

Advanced Splunk Data Management Strategies

Uncovering Multi-Account Fraud with Splunk Banking Analytics

Secure Your Future: A Deep Dive into the Compliance and Security Enhancements for the ...