Splunk Search

multivalue on inline field extraction

Path Finder

i have a longish regex to weed out pertinent fields from some asa output. they generally follow the same format, however, sometimes the lines have say the protocol located in one place but sometimes in other.

if i were to construct the inline regex to have multiple

(?P<proto>\w+) blah (?P<proto>\w+)

then i get

Encountered the following error while trying to update: In handler 'props-extract': Regex: two named subpatterns have the same name

which makes sense; but couldn't the inline field extraction just create multi-value fields?

i can't really use a transform as i want context on the field; eg src_ip and dst_ip - of which depends on the relative location of the ip address in the regex.

any ideas? does it make sense to allow multi-value field extraction with inline regexes?

0 Karma


If you can assume that you know all of the possible protocols, the simplest would be to just match on the known cases:

| rex field=_raw "(?i)\b(?<proto>tcp|udp|icmp|igmp|ip|gre)\b"

Or, pull them into two separate fields, and then use eval:

| rex field =_raw "(?P<proto1>\w+) blah (?P<proto2>\w+)"
| eval proto=coalesce(proto1, proto2)

You can do something similar with transforms - you just may need multiple transforms depending on how you write it.

This link may also help if you need more examples for ASA transforms beyond what's in the Splunkbase app.

0 Karma
Get Updates on the Splunk Community!

Accelerate Service Onboarding, Decomposition, Troubleshooting - and more with ITSI’s ...

Accelerate Service Onboarding, Decomposition, Troubleshooting - and more! Faster Time to ValueManaging and ...

New Release | Splunk Enterprise 9.3

Admins and Analyst can benefit from:  Seamlessly route data to your local file system to save on storage ...

2024 Splunk Career Impact Survey | Earn a $20 gift card for participating!

Hear ye, hear ye! The time has come again for Splunk's annual Career Impact Survey!  We need your help by ...