Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

array

vinod0313
Explorer
‎08-25-2020 01:37 AM

Hello

I have log like below

FEATURES_USING=[tokenValidatorInfo=false, requestValidationRequired=false, requestPayloadValidationRequired=false, responsePayloadValidationRequired=false, aopUsed=false, tibcoCommunicatorUsed=false, secretsSecured=false]


I want result should be like below



 

 

tokenValidatorInfo=false

equestValidationRequired=false
requestPayloadValidationRequired=false
responsePayloadValidationRequired=false
aopUsed=false
tibcoCommunicatorUsed=false
secretsSecured=false

Labels (1)
Labels
0 Karma
Reply

to4kawa
Ultra Champion
‎08-26-2020 04:05 AM 
index=_internal | head 1 | fields _raw
| eval _raw="05789549ec5f environment=AWS-DEV 2020-08-25 09:33:52 [scheduling-1] [INFO ] [{spanId=e055c0a22de08485, traceId=e055c0a22de08485}] [com.deltadental.platform.common.config.AppConfig:refreshCommonServicesFeatures:93] - FEATURES_USING=[TOKEN_VALIDATION=false, REQUETS_VALIDATION=false, REQUEST_PAYLOAD_VALIDATION=false, RESPONSE_PAYLOAD_VALIDATION=false, AOP=false, TIBCO_COMMUNICATOR=false, SECRETS_SECURE=false]"

| kv


and search with smart mode

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎08-25-2020 02:52 AM

Hi @vinod0313 

It is not clear if you have already extracted any fields but assuming not:

 

| makeresults 
| eval log="FEATURES_USING=[tokenValidatorInfo=false, requestValidationRequired=false, requestPayloadValidationRequired=false, responsePayloadValidationRequired=false, aopUsed=false, tibcoCommunicatorUsed=false, secretsSecured=false]"
| rex field=log "FEATURES_USING=\[(?<feature>.*)\]" 
| makemv delim=", " feature 
| mvexpand feature 
| fields feature

 

You could extract the part between the [] into a field, then make it multi-value using ", " as your delimiter, then expand the multi-value field into separate rows. 

0 Karma
Reply

vinod0313
Explorer
‎08-25-2020 03:29 AM

it is not working

my log is shown below

 

05789549ec5f environment=AWS-DEV 2020-08-25 09:33:52 [scheduling-1] [INFO ] [{spanId=e055c0a22de08485, traceId=e055c0a22de08485}] [com.deltadental.platform.common.config.AppConfig:refreshCommonServicesFeatures:93] - FEATURES_USING=[TOKEN_VALIDATION=false, REQUETS_VALIDATION=false, REQUEST_PAYLOAD_VALIDATION=false, RESPONSE_PAYLOAD_VALIDATION=false, AOP=false, TIBCO_COMMUNICATOR=false, SECRETS_SECURE=false]

I want result should like below



TOKEN_VALIDATION=false
REQUETS_VALIDATION=false
REQUEST_PAYLOAD_VALIDATION=false
-
-

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎08-25-2020 03:46 AM

Always good to have a real example! However, what is not working?

 

| makeresults 
| eval log="05789549ec5f environment=AWS-DEV 2020-08-25 09:33:52 [scheduling-1] [INFO ] [{spanId=e055c0a22de08485, traceId=e055c0a22de08485}] [com.deltadental.platform.common.config.AppConfig:refreshCommonServicesFeatures:93] - FEATURES_USING=[TOKEN_VALIDATION=false, REQUETS_VALIDATION=false, REQUEST_PAYLOAD_VALIDATION=false, RESPONSE_PAYLOAD_VALIDATION=false, AOP=false, TIBCO_COMMUNICATOR=false, SECRETS_SECURE=false]"
| rex field=log "FEATURES_USING=\[(?<feature>.*)\]" 
| makemv delim=", " feature 
| mvexpand feature 
| fields feature

 

Gives:

feature
TOKEN_VALIDATION=false
REQUETS_VALIDATION=false
REQUEST_PAYLOAD_VALIDATION=false
RESPONSE_PAYLOAD_VALIDATION=false
AOP=false
TIBCO_COMMUNICATOR=false
SECRETS_SECURE=false
0 Karma
Reply

vinod0313
Explorer
‎08-25-2020 03:54 AM

i am getting below events i am not getting actual expected results


vinod0313_0-1598352870967.png

 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎08-25-2020 03:59 AM

Yes, the events don't change - you need to look at the results - try adding

| table feature

Then look at the statistics tab 

0 Karma
Reply

vinod0313
Explorer
‎08-25-2020 04:03 AM

I have added it.

vinod0313_0-1598353413527.png

 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎08-25-2020 04:07 AM

OK you took my solution too literally! The rex has to be applied to your _raw not my made up log field:

| rex field=_raw "FEATURES_USING=\[(?<feature>.*)\]"

Unless you have already extract FEATURES_USING into its own field 

0 Karma
Reply
Register for .conf25!
Get Updates on the Splunk Community!

Leveraging Detections from the Splunk Threat Research Team & Cisco Talos

  Now On Demand  Stay ahead of today’s evolving threats with the combined power of the Splunk Threat Research ...

New in Splunk Observability Cloud: Automated Archiving for Unused Metrics

Automated Archival is a new capability within Metrics Management; which is a robust usage & cost optimization ...

Calling All Security Pros: Ready to Race Through Boston?

Hey Splunkers, .conf25 is heading to Boston and we’re kicking things off with something bold, competitive, and ...
Top