Splunk Search

Search for Multiples Values and extract them into a single field?

ito27
New Member

Can you please help me to figure out how can I extract multiple values in a source and extract them into a single field?

For example, how can I make these two values that I am searching to be extracted to a field named "web_brwoser":

sourcetype="iis-369" | rex field=_raw "(?P\W\w\w\w\w\w\w\W\d\d\d\W\d\d\s\d\d\d),(?:\W\w\w\w\w\W\d\W\d)"

Do I have to type "AND" between the two values? I tried it already and it did not work.
Also, I tried to type "|" = "or" and it don't work either.

Tags (1)
0 Karma

bjoernjensen
Contributor

Hey there,

this depends a little on how you would like those values to be shown. Assuming you would like to have a multi value field something like this should work:

sourcetype="iis-369" | rex field=_raw "(?WwwwwwwWdddWddsddd)" | rex field=_raw "(?WwwwwWdWd)" | eval web_browser = field1 + ":" + field2 | makemv delim=":" web_browser | table _time web_browser _raw

This runs rex twice and builds the mv field 'web_browser' using ':' as separator. You should of course be sure your rex does not match that delimiter.

0 Karma

ito27
New Member

How can I search for all the values needed and extract them in different fields at the same time? So, the command log get saved by the time I work with the second field. Because there is where my problem come up doing everything at once. For example I type AND or OR in the search bar but it gave me an error because I have duplicated commands.

0 Karma

jstockamp
Communicator

To combine two fields you can use "eval combined_field = field1 ."-". field2" - that will combine them with a hyphen between.

0 Karma

bjoernjensen
Contributor

Sample data would be very useful. I guess there should be some (regex) way to match "all values needed" inspecting the vicinity.

0 Karma

jstockamp
Communicator

I'm having a hard time understanding what you're trying to do. Maybe posting some sample data would be useful. You can easily extract multiple fields in a single rex command.

ito27
New Member

How can I search for all the values needed and extract them in different fields at the same time? So, the command log get saved by the time I work with the second field. Because there is where my problem come up doing everything at once. For example I type AND or OR in the search bar but it gave me an error because I have duplicated commands.

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...