Splunk Search

how to extract multiple strings from multiple lines into 1 field

mikegdlw
New Member

I have a logline that is extracted in multiple fields already. 1 of those fields contain multiple strings on different lines.
I would like to extract certain strings from these lines, and add them to a single field.

example log:

source=10.0.0.1
destination=10.0.0.2
action=deny
extra=rule number 1
xlated_source:192.168.0.1
xlated_destination:10.0.0.2
source_info:the source is part of group /source/network/LAN
source_info:the source is part of group /source/network/LAN-Tulsa
source_info:the source is part of group /source/network/LAN-printers
dest_info:the destination is part of group /destination/network/LAN
dest_info:the destination is part of group /destination/network/LAN-DC

as a result I would like to have the following new fields extracted from the "extra" field:
network-srcinfo=LAN,LAN-Tulsa,LAN-printers
network-dstinfo=LAN,LAN-DC

when I do a:

| rex field=_raw "/source/network/(?\.*)"

I only get:

network-srcinfo=LAN

I'm quite new to splunk, and I can't seem to find an answer to this.

0 Karma
1 Solution

MuS
SplunkTrust
SplunkTrust

Try something like this:

| rex max_match=0 field=_raw "\/source\/network\/(?<network-srcinfo>.*)" | table network-srcinfo

View solution in original post

MuS
SplunkTrust
SplunkTrust

Try something like this:

| rex max_match=0 field=_raw "\/source\/network\/(?<network-srcinfo>.*)" | table network-srcinfo

mikegdlw
New Member

Thank you! that fixed my issue.

Of course, now a new one popped up. It seems that within the logs, things are not as consistent as I thought.
so it can indeed show up as:
source_info:the source is part of group /source/network/LAN
source_info:the source is part of group /source/network/LAN-Tulsa
source_info:the source is part of group /source/network/LAN-printers

but also in other combinations:
source_info:the source is part of group /source/network/LAN-Tulsa
source_info:the source is part of group /source/network/LAN
source_info:the source is part of group /source/network/LAN-printers

is there a way to do an alphabetical sort within the network-srcinfo field?
otherwise the results would be that "LAN, LAN-Tulsa, LAN-printers" is seen as different than "LAN-Tulsa, LAN, LAN-printers" while in essence, this is not the case

0 Karma

MuS
SplunkTrust
SplunkTrust

add a | sort network-srcinfo at the end

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...