Splunk Search

Splitting Multi-Value and Multi-Line field?

daveywfii
Engager

I have a list of chrome extensions that are installed that is returned in a multivalue field. One of the results looks like this: 
Screenshot 2023-01-25 at 2.45.46 PM.png

All I really care about is the extension name so I was able to run this query to use rex to extract the names of all the extensions: 

index=jamf source=jss_inventory "extensionAttribute.name"="Installed Chrome Extensions & Versions"
| fields extensionAttribute.name, computer_meta.assignedUser
| rex field=extensionAttribute.value max_match=0 "Name: (?<extensions>.*)\n"
| table extensions

This returns: 
Screenshot 2023-01-25 at 2.48.50 PM.png

How can I further extract these extensions in this multi-value field.  I can't get mvexpand to work because it says that the new extensions field I created doesn't exist in the data. I can't figure out how to extract each line as a separate result so that I can dedup and get a full list of all installed extensions. 

Labels (2)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

mvexpand should work

index=jamf source=jss_inventory "extensionAttribute.name"="Installed Chrome Extensions & Versions"
| fields extensionAttribute.name, computer_meta.assignedUser
| rex field=extensionAttribute.value max_match=0 "Name: (?<extensions>.*)\n"
| table extensions
| mvexpand extensions

Do you get an error?

Alternatively, you could try this

index=jamf source=jss_inventory "extensionAttribute.name"="Installed Chrome Extensions & Versions"
| fields extensionAttribute.name, computer_meta.assignedUser
| rex field=extensionAttribute.value max_match=0 "Name: (?<extensions>.*)\n"
| stats count by extensions
| fields - count

View solution in original post

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

mvexpand should work

index=jamf source=jss_inventory "extensionAttribute.name"="Installed Chrome Extensions & Versions"
| fields extensionAttribute.name, computer_meta.assignedUser
| rex field=extensionAttribute.value max_match=0 "Name: (?<extensions>.*)\n"
| table extensions
| mvexpand extensions

Do you get an error?

Alternatively, you could try this

index=jamf source=jss_inventory "extensionAttribute.name"="Installed Chrome Extensions & Versions"
| fields extensionAttribute.name, computer_meta.assignedUser
| rex field=extensionAttribute.value max_match=0 "Name: (?<extensions>.*)\n"
| stats count by extensions
| fields - count
0 Karma
Get Updates on the Splunk Community!

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...

Security Highlights | January 2023 Newsletter

January 2023 Splunk Security Essentials (SSE) 3.7.0 ReleaseThe free Splunk Security Essentials (SSE) 3.7.0 app ...