- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- There is a way to extract a value from field and t...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There is a way to extract a value from field and then use it as a new field ?
Hi ,
There is a way to extract a value from field and then use it as a new field ?
For example : I have the following event:
"CEF:0|IMPERVA|SecureSphere|9.0.0|Firewall: eventID=233215 act=none proto=tcp cs1=mozilla cs1Lable=UserAgent"
The meaning of cs1 is = Custom string1
I want to extract the value from cs1Lable=UserAgent and then us it as a new field and finally enter value from another field (cs1=mozilla) to him.
for example: the fields cs1=mozilla and cs1Lable=UserAgent become : UserAgent=mozilla
And If it possible to set it globally.
10x
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Brakets {} , are what to use here.
Here you go . For each cs1Lable value, a new field with that value as a label will be created and the value of that field will be the cs1's value, for the same event.
...|rex field=_raw "cs1\=(? <field1>\S)\s+cs1lable\=(? <field2>[^\n])"|eval {field2}=field1
in your event gave above a field called UserAgent will be created, with mozilla as a value.
You can also edit your props.conf if you want these fields appear in your events permenently
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi bugnet
Try this search code
......|rex field=_raw "cs1\=(? <field1>\S)\s+cs1lable\=(? <field2>[^\n])"|eval UserAgent=if(field2==UserAgent,[......|eval UserAgent=field1|return $UserAgent ] ,"none")|table UserAgent
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
| rex field=_raw .*cs1=(?[^\s]+)\scs1Lable=(?[^"]+)
There's a slightly better version of the regex. This one doesn't capture the closing "-symbol in your label field. As for your second question, have a look at http://answers.splunk.com/answers/78340/is-it-possible-to-set-field-name-and-value-with-rex-similar-...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You should be able to achieve this with regular expressions. I've attempted it but my knowledge of it isn't the best, but i can capture the parts you want but can't combine them.
.*cs1=(?<Custom>\w*)\scs1Lable=(?<Label>.*)
Then either use the rex command in your search to extract the field at search time or put it in the props.conf file
Developer Spotlight with Paul Stout
State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...
Data-Driven Success: Splunk & Financial Services
