I am trying to break a field (httpRequest), into a multivalue field and then extract the value of one of the values.
My search:
* | makemv delim="\r\n" httpRequest | eval userAgent=mvindex(httpRequest,1) | table clientIp userAgent
Nothing shows up in the table for the userAgent field. But if I change the index number to 0 instead of 1, the entire httpRequest field value shows up as the value of userAgent.
It does not appear that makemv is honoring the "\r\n" as the delimiter. I have tried escaping the backslashes with "\r\n" but the result is the same.
Further info...
The raw field looks like this:
"httpRequest":"GET / HTTP/1.1\r\nHost: somehost\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36\r\nContent-Length: 0\r\n\r\n"
And this field in the parsed json-formatted log looks like this:
httpRequest: GET / HTTP/1.1
Host: somehost
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36
Content-Length: 0
When I show the httpRequest field in a table it shows up like this:
GET / HTTP/1.1
Host: somehost
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36
Content-Length: 0
... View more