Splunk Search
Highlighted

There is a way to extract a value from field and then use it as a new field ?

Path Finder

Hi ,
There is a way to extract a value from field and then use it as a new field ?
For example : I have the following event:

"CEF:0|IMPERVA|SecureSphere|9.0.0|Firewall: eventID=233215 act=none proto=tcp cs1=mozilla cs1Lable=UserAgent"
The meaning of cs1 is = Custom string1

I want to extract the value from cs1Lable=UserAgent and then us it as a new field and finally enter value from another field (cs1=mozilla) to him.
for example: the fields cs1=mozilla and cs1Lable=UserAgent become : UserAgent=mozilla
And If it possible to set it globally.

10x

Tags (2)
Highlighted

Re: There is a way to extract a value from field and then use it as a new field ?

Communicator

You should be able to achieve this with regular expressions. I've attempted it but my knowledge of it isn't the best, but i can capture the parts you want but can't combine them.

.*cs1=(?<Custom>\w*)\scs1Lable=(?<Label>.*)

Then either use the rex command in your search to extract the field at search time or put it in the props.conf file

0 Karma
Highlighted

Re: There is a way to extract a value from field and then use it as a new field ?

Communicator

| rex field=_raw .*cs1=(?[^\s]+)\scs1Lable=(?[^"]+)

There's a slightly better version of the regex. This one doesn't capture the closing "-symbol in your label field. As for your second question, have a look at http://answers.splunk.com/answers/78340/is-it-possible-to-set-field-name-and-value-with-rex-similar-...

0 Karma
Highlighted

Re: There is a way to extract a value from field and then use it as a new field ?

Motivator

Hi bugnet
Try this search code

    ......|rex field=_raw "cs1\=(? <field1>\S)\s+cs1lable\=(? <field2>[^\n])"|eval UserAgent=if(field2==UserAgent,[......|eval UserAgent=field1|return $UserAgent ] ,"none")|table UserAgent
0 Karma
Highlighted

Re: There is a way to extract a value from field and then use it as a new field ?

Motivator

Brakets {} , are what to use here.

Here you go . For each cs1Lable value, a new field with that value as a label will be created and the value of that field will be the cs1's value, for the same event.

...|rex field=_raw "cs1\=(? <field1>\S)\s+cs1lable\=(? <field2>[^\n])"|eval {field2}=field1

in your event gave above a field called UserAgent will be created, with mozilla as a value.
You can also edit your props.conf if you want these fields appear in your events permenently
Thanks