I looked through quite a few posts on here and couldn't find an appropriate answer, so please bare with me.
I have events coming into Splunk in JSON format. The top-level fields are extracted fine. However, a nested map/dictionary is giving me issues. When I run a search to get the values from that inner dictionary, it works in that I get a resulting table like:
A B
--- ---
x y
z
y
z
s m
n
u - (- means None)
So, the y and z both belong to x and occasionally there are more than 2 items per each x. This happens for any x in A.
Since the cell in the table makes the values in B look separated by a newline, I created a regular expression that I've verified to correctly grab the logical groups for each y and z, if, for instance, they were just in a text box like this:
y
z
y
z
y
z
So the regex would properly grab the two as many times necessary, separately.
What I want to do is pull out each pair and separate the two items into two new fields, say C and D, and then later have a table where I have C and D grouped to field A.
The regex part of the command:
rex field="A{}{}" "(?<C>[\da-z\.-]+\.[a-z\.]{2,6})\n(?<D>\d{1,3})"
Note: the A{}{} together makes up the multivalue field, B, and A is just A as in the earlier part of my example.
The issue I'm running into is that when I pipe what should be the output from that statement into the table command, I don't get anything.. The regex is definitely confirmed working on a site like http://regexr.com/ just for sanity-checking.
So there must be something I'm missing. Maybe the initial table with my example just looks like newlines separate the two values into rows when it doesn't. In which case I tried using a \s as the separator rather than \n and it still doesn't work.
Or maybe there's a super simple explanation for an obvious mistake I'm making.
Regardless I would appreciate some help very much.
Thanks in advance.
... View more