create a multivalue field, based on multiple singl...

fsiemons · ‎07-20-2020

Hi there, I have a bit of a tough one.

I have a log with multiple entries of the same field, basically a list of values. I am trying to merge these values into a single new field, with a line for every value that was in the RAW event.

An example:

name=peter
actions=
5:read
2:read
2:write
2:write

richgalloway · ‎07-21-2020

See if this helps.

| makeresults | eval _raw="2020-07-21T01:52:37+00:00 devicename=device1 | id=a522131 | date=2020-07-21T01:51:20 | name=peter | score=5 | action=read | randomfield1=nothingimportant | score=2 | action=read | score=2 | action=write | score=2 | action=write | randomfield2=nothingimportant"
```Above just creates test data```
| rex "\bname=(?<name>\w+)" 
| rex max_match=0 "score=(?<score>\d+)" 
| rex max_match=0 "action=(?<action>\w+)"
| eval actions=mvzip(score, action, ":")
| table name actions

---
If this reply helps you, Karma would be appreciated.

create a multivalue field, based on multiple single value fields with the same field name

regex

rex

Enterprise Security Content Update (ESCU) | New Releases

Announcing the 1st Round Champion’s Tribute Winners of the Great Resilience Quest

We’ve Got Education Validation!