multivalue on inline field extraction

ytl · ‎04-06-2011

i have a longish regex to weed out pertinent fields from some asa output. they generally follow the same format, however, sometimes the lines have say the protocol located in one place but sometimes in other.

if i were to construct the inline regex to have multiple

(?P<proto>\w+) blah (?P<proto>\w+)

then i get

Encountered the following error while trying to update: In handler 'props-extract': Regex: two named subpatterns have the same name

which makes sense; but couldn't the inline field extraction just create multi-value fields?

i can't really use a transform as i want context on the field; eg src_ip and dst_ip - of which depends on the relative location of the ip address in the regex.

any ideas? does it make sense to allow multi-value field extraction with inline regexes?

southeringtonp · ‎04-06-2011

If you can assume that you know all of the possible protocols, the simplest would be to just match on the known cases:

| rex field=_raw "(?i)\b(?<proto>tcp|udp|icmp|igmp|ip|gre)\b"

Or, pull them into two separate fields, and then use eval:

| rex field =_raw "(?P<proto1>\w+) blah (?P<proto2>\w+)"
| eval proto=coalesce(proto1, proto2)

You can do something similar with transforms - you just may need multiple transforms depending on how you write it.

This link may also help if you need more examples for ASA transforms beyond what's in the Splunkbase app.

multivalue on inline field extraction

Introducing the Splunk Community Dashboard Challenge!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...