Splunk Search

multivalue on inline field extraction

Path Finder

i have a longish regex to weed out pertinent fields from some asa output. they generally follow the same format, however, sometimes the lines have say the protocol located in one place but sometimes in other.

if i were to construct the inline regex to have multiple

(?P<proto>\w+) blah (?P<proto>\w+)

then i get

Encountered the following error while trying to update: In handler 'props-extract': Regex: two named subpatterns have the same name

which makes sense; but couldn't the inline field extraction just create multi-value fields?

i can't really use a transform as i want context on the field; eg src_ip and dst_ip - of which depends on the relative location of the ip address in the regex.

any ideas? does it make sense to allow multi-value field extraction with inline regexes?

0 Karma


If you can assume that you know all of the possible protocols, the simplest would be to just match on the known cases:

| rex field=_raw "(?i)\b(?<proto>tcp|udp|icmp|igmp|ip|gre)\b"

Or, pull them into two separate fields, and then use eval:

| rex field =_raw "(?P<proto1>\w+) blah (?P<proto2>\w+)"
| eval proto=coalesce(proto1, proto2)

You can do something similar with transforms - you just may need multiple transforms depending on how you write it.

This link may also help if you need more examples for ASA transforms beyond what's in the Splunkbase app.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...