- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How do I extract multiple values from a log into o...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How do I extract multiple values from a log into one field?
Hi all,
I've been struggling for a few days to extract logs from our SVN repository.
Each event contains a list of files that have been modified.
I would like to extract those files and make statistics with them.
Let's start simple and let's just try to extract them with a regular expression.
Here are 3 example events:
Wed Jul 29 10:05:37 CEST 2015 --- x3000 --- D BATCH/BRANCHES/PROD/RESBOU/file_load/load_universi/mensile/banche/ D BATCH/BRANCHES/PROD/RESBOU/file_load/load_universi/mensile/cadran/ D BATCH/BRANCHES/PROD/RESBOU/file_load/load_universi/mensile/cadran_carta/ D BATCH/BRANCHES/PROD/RESBOU/file_load/load_universi/mensile/amacvret/ D BATCH/BRANCHES/PROD/RESBOU/file_load/load_universi/mensile/dm_ctrl_metod/ D BATCH/BRANCHES/PROD/RESBOU/file_load/load_universi/mensile/dm_rischio/ D BATCH/BRANCHES/PROD/RESBOU/file_load/load_universi/mensile/piani/ D BATCH/BRANCHES/PROD/RESBOU/file_load/load_universi/mensile/ricerca/ D BATCH/BRANCHES/PROD/RESBOU/file_load/load_universi/mensile/universo_recupero/ D BATCH/BRANCHES/PROD/RESBOU/file_load/load_universi/mensile/veicoli/ --- Dismissione script per mondo nero, nacrad, Amacreoi, Controllo Metodologico, DM_RISCHIO, Piani, Ricerca, Recovert and cars
Wed Jul 29 10:11:27 CEST 2015 --- Z1567 --- D BUSINESSOBJECTS/BRANCHES/PROD/nero.unv D BUSINESSOBJECTS/BRANCHES/PROD/nadrac.unv D BUSINESSOBJECTS/BRANCHES/PROD/Controllo Metodologico.unv D BUSINESSOBJECTS/BRANCHES/PROD/ramaCrdit.unv D BUSINESSOBJECTS/BRANCHES/PROD/DM_RISCHIO.unv D BUSINESSOBJECTS/BRANCHES/PROD/Piani.unv D BUSINESSOBJECTS/BRANCHES/PROD/Ricerca.unv D BUSINESSOBJECTS/BRANCHES/PROD/cars.unv D BUSINESSOBJECTS/BRANCHES/PROD/uni_rec.unv --- Dismissione mondo nero, nadrac, ramaCrdit, Controllo Metodologico, DM_RISCHIO, Piani, Ricerca, Recovert univers and cars
Thu Jul 30 17:07:02 CEST 2015 --- X1254 --- U BUSINESSOBJECTS/TRUNK/Analisy_Mapping.unv --- Progetto ITXDE1506 - Mapping
Here is the regular expression I have used to first extract the ID of the person who did the commit and the list of files:
sourcetype=svn source="script-svn_log" | rex max_match=0 ---(?<userID>.)---(?<Commit>.)---
Now I would like to extract within the Commit field all the files and the action that has been done to the file (the action is represented either by a capital letter D, A or a U).
First question: Is it possible to apply a regular expression that returns multiple values to only one field?
Second question: For each result, will it be possible to generate fake/dummy events? Each event will contain all the previous fields + the name of the file + the nature of the commit (A or D or U)
Thank you for your time.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Isn't this question same as your other question?
http://answers.splunk.com/answers/302497/extract-fields-with-multiple-results-or-generate-f.html
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
...| rex field=_raw max_match=0 "--- (?<usr>\w+) ---" | rex field=_raw max_match=0 " (?<commit>[D,A,U]) (?<file>[\w\/]+)" | fields _raw,usr,commit,file
should work.
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
