Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

multivalue on inline field extraction

ytl
Path Finder
‎04-06-2011 09:23 PM

i have a longish regex to weed out pertinent fields from some asa output. they generally follow the same format, however, sometimes the lines have say the protocol located in one place but sometimes in other.

if i were to construct the inline regex to have multiple

(?P<proto>\w+) blah (?P<proto>\w+)

then i get

Encountered the following error while trying to update: In handler 'props-extract': Regex: two named subpatterns have the same name

which makes sense; but couldn't the inline field extraction just create multi-value fields?

i can't really use a transform as i want context on the field; eg src_ip and dst_ip - of which depends on the relative location of the ip address in the regex.

any ideas? does it make sense to allow multi-value field extraction with inline regexes?

0 Karma
Reply

southeringtonp
Motivator
‎04-06-2011 09:58 PM

If you can assume that you know all of the possible protocols, the simplest would be to just match on the known cases:

| rex field=_raw "(?i)\b(?<proto>tcp|udp|icmp|igmp|ip|gre)\b"

Or, pull them into two separate fields, and then use eval:

| rex field =_raw "(?P<proto1>\w+) blah (?P<proto2>\w+)"
| eval proto=coalesce(proto1, proto2)

You can do something similar with transforms - you just may need multiple transforms depending on how you write it.

This link may also help if you need more examples for ASA transforms beyond what's in the Splunkbase app.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...