Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

There is a way to extract a value from field and then use it as a new field ?

bugnet
Path Finder
‎06-03-2015 12:56 AM

Hi ,
There is a way to extract a value from field and then use it as a new field ?
For example : I have the following event:

"CEF:0|IMPERVA|SecureSphere|9.0.0|Firewall: eventID=233215 act=none proto=tcp cs1=mozilla cs1Lable=UserAgent"
The meaning of cs1 is = Custom string1

I want to extract the value from cs1Lable=UserAgent and then us it as a new field and finally enter value from another field (cs1=mozilla) to him.
for example: the fields cs1=mozilla and cs1Lable=UserAgent become : UserAgent=mozilla
And If it possible to set it globally.

10x

Tags (2)
Reply

stephanefotso
Motivator
‎06-03-2015 02:07 AM

Brakets {} , are what to use here.

Here you go . For each cs1Lable value, a new field with that value as a label will be created and the value of that field will be the cs1's value, for the same event.

...|rex field=_raw "cs1\=(? <field1>\S)\s+cs1lable\=(? <field2>[^\n])"|eval {field2}=field1

in your event gave above a field called UserAgent will be created, with mozilla as a value.
You can also edit your props.conf if you want these fields appear in your events permenently
Thanks

SGF
Reply

chimell
Motivator
‎06-03-2015 02:07 AM

Hi bugnet
Try this search code 

    ......|rex field=_raw "cs1\=(? <field1>\S)\s+cs1lable\=(? <field2>[^\n])"|eval UserAgent=if(field2==UserAgent,[......|eval UserAgent=field1|return $UserAgent ] ,"none")|table UserAgent
0 Karma
Reply

lcrielaa
Communicator
‎06-03-2015 01:38 AM

| rex field=_raw .*cs1=(?[^\s]+)\scs1Lable=(?[^"]+)

There's a slightly better version of the regex. This one doesn't capture the closing "-symbol in your label field. As for your second question, have a look at http://answers.splunk.com/answers/78340/is-it-possible-to-set-field-name-and-value-with-rex-similar-...

0 Karma
Reply

MichaelPriest
Communicator
‎06-03-2015 01:16 AM

You should be able to achieve this with regular expressions. I've attempted it but my knowledge of it isn't the best, but i can capture the parts you want but can't combine them.

.*cs1=(?<Custom>\w*)\scs1Lable=(?<Label>.*)

Then either use the rex command in your search to extract the field at search time or put it in the props.conf file

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...