Splunk Search

multivalue on inline field extraction

ytl
Path Finder

i have a longish regex to weed out pertinent fields from some asa output. they generally follow the same format, however, sometimes the lines have say the protocol located in one place but sometimes in other.

if i were to construct the inline regex to have multiple

(?P<proto>\w+) blah (?P<proto>\w+)

then i get

Encountered the following error while trying to update: In handler 'props-extract': Regex: two named subpatterns have the same name

which makes sense; but couldn't the inline field extraction just create multi-value fields?

i can't really use a transform as i want context on the field; eg src_ip and dst_ip - of which depends on the relative location of the ip address in the regex.

any ideas? does it make sense to allow multi-value field extraction with inline regexes?

0 Karma

southeringtonp
Motivator

If you can assume that you know all of the possible protocols, the simplest would be to just match on the known cases:

| rex field=_raw "(?i)\b(?<proto>tcp|udp|icmp|igmp|ip|gre)\b"

Or, pull them into two separate fields, and then use eval:

| rex field =_raw "(?P<proto1>\w+) blah (?P<proto2>\w+)"
| eval proto=coalesce(proto1, proto2)

You can do something similar with transforms - you just may need multiple transforms depending on how you write it.

This link may also help if you need more examples for ASA transforms beyond what's in the Splunkbase app.

0 Karma
Get Updates on the Splunk Community!

Optimize Cloud Monitoring

  TECH TALKS Optimize Cloud Monitoring Tuesday, August 13, 2024  |  11:00AM–12:00PM PST   Register to ...

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...