Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: extract multiple values from fields in same ev...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello team ,
I am having one event in which single field have multiple value like provided below:
{"body":{"records": [{ "category": "AzureFirewallNetworkRule", "time": "2021-04-26T13:13:37.0631470Z", "resourceId": "/SUBSCRIPTIONS/**********-*****-****-**/RESOURCEGROUPS/C-ABS-IT-SS-PROD-UKS-RG/PROVIDERS/MICROSOFT.NETWORK/AZUREFIREWALLS/C-ABS-IT-SS-PROD-UKS-FIREWALL", "operationName": "AzureFirewallNetworkRuleLog", "properties": {"msg":"TCP request from 10.119.252.16:64967 to 54.83.8.19:54443. Action: Deny"}},{ "category": "AzureFirewallNetworkRule", "time": "2021-04-26T13:13:37.4217670Z", "resourceId": "/SUBSCRIPTIONS/**********-*****-****-**/RESOURCEGROUPS/C-ABS-IT-SS-PROD-UKS-RG/PROVIDERS/MICROSOFT.NETWORK/AZUREFIREWALLS/C-ABS-IT-SS-PROD-UKS-FIREWALL", "operationName": "AzureFirewallNetworkRuleLog", "properties": {"msg":"TCP request from 10.119.34.12:62142 to 131.100.0.201:5938. Action: Deny"}},{ "category": "AzureFirewallNetworkRule", "time": "2021-04-26T13:13:37.9262290Z", "resourceId": "/SUBSCRIPTIONS/**********-*****-****-**/RESOURCEGROUPS/C-ABS-IT-SS-PROD-UKS-RG/PROVIDERS/MICROSOFT.NETWORK/AZUREFIREWALLS/C-ABS-IT-SS-PROD-UKS-FIREWALL", "operationName": "AzureFirewallNetworkRuleLog", "properties": {"msg":"TCP request from 10.119.252.196:13973 to 40.79.154.87:443. Action: Allow"}}
Above is one single event
from which i want to extract src ip and dest ip
for example 10.119.252.16 is src ip and 54.83.8.19 is dest ip , I want to extract all from backend i dont wana use rex max_match=0 .
Please let me know how can i extract all from backend .
Thanks
Kannu
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Well , I have figured out the answer of my problem ,
Which is first I have extracted the inner json , from main json event , then i have used props.conf to index them using seprate event in that way splunk is taking all field with separate events .
LINE_BREAKER=((?<=\}),(?=\{)|[\r\n]+)
TRUNCATE = 0
SHOULD_LINEMERGE = false
SEDCMD-remove_prefix=s/{"body":{"records":.?\[//g
SEDCMD-remove_suffix=s/\]}.*}//g
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Well , I have figured out the answer of my problem ,
Which is first I have extracted the inner json , from main json event , then i have used props.conf to index them using seprate event in that way splunk is taking all field with separate events .
LINE_BREAKER=((?<=\}),(?=\{)|[\r\n]+)
TRUNCATE = 0
SHOULD_LINEMERGE = false
SEDCMD-remove_prefix=s/{"body":{"records":.?\[//g
SEDCMD-remove_suffix=s/\]}.*}//g
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When you say you want to "extract all from backend", do you mean you want to know how to extracted them at indexing time rather than search time?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@ITWhisperer Yes index time
Community Content Calendar, September edition
Splunkbase Unveils New App Listing Management Public Preview
Leveraging Automated Threat Analysis Across the Splunk Ecosystem
