Splunk Search

event contains same field with different values

Mike6960
Path Finder

My events contain teh same fieldnames multiple times with different values.
I.E.
< active_recip="9" deliv_recip="0" hard_bounced="4" hostname="clnpniv.local *" soft_bounced="0"/>
< active_recip="3" deliv_recip="0" hard_bounced="1" hostname="clnpdmz.local *" soft_bounced="0"/>

I tried a field extraction but then only one value is recognized as a field. How can I solve this? I searched online voor MV etc. but I am a bit stuck

Tags (1)
0 Karma

Sukisen1981
Champion
| rex field=_raw "hard_bounced=\"+(?<hard>.*?)\"+" max_match=0 | rex field=_raw "hostname=\"+(?<hostname>.*?)\"+" max_match=0 | eval fields = mvzip(hard,hostname) 
| mvexpand fields 
| rex field=fields "(?<hard>\w+),(?<hostname>\w+)" 
| table _time hard hostname
0 Karma

Sukisen1981
Champion

Finally- the above one should work..for some reason 'hard' and 'hostname' got missed out even after applying it within the code blocks, i dunno why !

0 Karma

Sukisen1981
Champion

Hi,

Your issue should be solved using this -
max_match
Syntax: max_match=
Description: Controls the number of times the regex is matched. If greater than 1, the resulting fields are multivalued fields.
Default: 1, use 0 to mean unlimited.
Ref. https://docs.splunk.com/Documentation/Splunk/7.1.1/SearchReference/Rex

just append max_match=0 to your rex and it should fetch all values for the same regex field

0 Karma

Mike6960
Path Finder

append max_match=0 ?. Where? In the fieldextraction editor?

0 Karma

Sukisen1981
Champion

refer to the documentation above -
something like
sourcetype=linux_secure port "failed password" | rex "\s+(?port \d+)" max_match=0 | stats
so in this case your extracted field , ports, if there are more than one value for ports ALL of them will be fetched under ports.
You can re-use the field extractor regex if you don;t want to write your own regex , and similarly replace the above rex with the rex generated by the field extractor appended by max_match=0

0 Karma

Mike6960
Path Finder

Ok, I understand what you, but when I use the regex from the editor then I get the message 'unbalanced quotes'
Here is the rex:
^<\?\w+\s+\w+="\d+.\d+"\s+\w+="\w+-\d+"\s+\w+="\w+"\?>\s+<\w+\s+\w+\w+="\w+\w+"\s+\w+="\w+\s+\d+.\d+.\d+-\d+"\s+\w+="\w+.\w+.\w+"\s+\w+="\d+">\s+<\w+\w+\s+\w+\w+="\d+"\s+\w+\w+="\d+"\s+\w+\w+="\d+"\s+\w+_\w+="\d+"\s+\w+="(?P[^*]+)

0 Karma

Sukisen1981
Champion

do we only need to extract active_recip to soft_bounced, ie, the 4-5 fileds as shown in your sample events?

0 Karma

Mike6960
Path Finder

No, I need to extract the values for hard_bounced en for hostname

0 Karma

Sukisen1981
Champion

Try this - <your index>|rex field=_raw "hard_bounced=\"+(?<hard>.*?)\"+" max_match=0 | rex field=_raw "hostname=\"+(?<hostname>.*?)\"+" max_match=0 | table hard,hostname

0 Karma

Sukisen1981
Champion

On second thoughts you might want them in separate row , try this if that is the case| rex field=_raw "hard_bounced=\"+(?.*?)\"+" max_match=0 | rex field=_raw "hostname=\"+(?.*?)\"+" max_match=0 | eval fields = mvzip(hard,hostname)
| mvexpand fields
| rex field=fields "(?\w+),(?\w+)"
| table _time hard hostname

Try both this one and the above..one of this is what you need

0 Karma

Mike6960
Path Finder

Hai @Sukisen1981 , if I use the second one I get the message 'Error in 'rex' command: Encountered the following error while compiling the regex 'hard_bounced="+(?.?)"+': Regex: unrecognized character after (? or (?- '

0 Karma

Sukisen1981
Champion

Hi, the code got corrupted while copying, essentially the second query is the same as the first one till mvzip starts...use this

<your index>|rex field=_raw "hard_bounced=\"+(?<hard>.*?)\"+" max_match=0 | rex field=_raw "hostname=\"+(?<hostname>.*?)\"+" max_match=0 | eval fields = mvzip(hard,hostname) 
| mvexpand fields 
| rex field=fields "(?\w+),(?\w+)" 
| table _time hard hostname

Just try to fit the entire code in a continuous line, if you encounter errors., this will work

0 Karma

Mike6960
Path Finder

sadly, still the same error. Don't see a difference between the codes by the way

0 Karma

Sukisen1981
Champion

Hi - Sorry , I once again copied the same code....i am pasting the correct code now. The difference is in the rex field statement, before \w+ the individual field names have to be mentioned, it is just a minor rex syntax issue.
I apologise once again for pasting the same wrong code twice|rex field=_raw "hard_bounced=\"+(?.*?)\"+" max_match=0 | rex field=_raw "hostname=\"+(?.*?)\"+" max_match=0 | eval fields = mvzip(hard,hostname)
| mvexpand fields
| rex field=fields "(?\w+),(?\w+)"
| table _time hard hostname

0 Karma

Sukisen1981
Champion

i see it again the code is not getting pasted properly again.....look at the below

| rex field=_raw "hard_bounced=\"+(?.?)\"+" max_match=0 | rex field=_raw "hostname=\"+(?.?)\"+" max_match=0 | eval fields = mvzip(hard,hostname)
| mvexpand fields
| rex field=fields "(?\w+),(?\w+)"
| table _time hard hostname

0 Karma

diogofgm
SplunkTrust
SplunkTrust

You can do the extraction using props/transforms and add the MV_ADD = true in the transforms.conf

transforms.conf

[my_extraction]
REGEX = <regular expression>
MV_ADD = true

props.conf

[my_sourcetype]

REPORT-my_extraction = my_extraction
------------
Hope I was able to help you. If so, some karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Splunk Smartness with Brandon Sternfield | Episode 3

Hello and welcome to another episode of "Splunk Smartness," the interview series where we explore the power of ...

Monitoring Postgres with OpenTelemetry

Behind every business-critical application, you’ll find databases. These behind-the-scenes stores power ...

Mastering Synthetic Browser Testing: Pro Tips to Keep Your Web App Running Smoothly

To start, if you're new to synthetic monitoring, I recommend exploring this synthetic monitoring overview. In ...