Hi,
In my log, I have the same name field for three distinct values in the same event. For example:
...
Security ID:Joseph Security ID:Admin Security ID:Lopes
..
When I use the search:
... | table Security_ID
Splunk shows me:
(2 events)
Security ID
Joseph
Admin
Lopes
...
John
Felippe
Brian
How cCan I distinguish this information on three distinct fields in a search? I tried to create field extractions, but the log has a lot of data and my sample does not appear by entire.
Security ID
Joseph (field 1)
Admin (field 2)
Lopes (field 3)
...
John (field 1)
Felippe (field 2)
Brian (field 3)
Best regards,
Lopes.
Here is a runanywhere example of how you can do this
| gentimes start=-1 | eval _raw="Security ID:Joseph Security ID:Admin Security ID:Lopes" | rex max_match=3 "ID:(?<id>\w+)" | nomv id | table id
If you wan them as separate fields you could do this
| gentimes start=-1 | eval _raw="Security ID:Joseph Security ID:Admin Security ID:Lopes" | rex max_match=3 "ID:(?<id>\w+)" | eval f1=mvindex(id, 0) | eval f2=mvindex(id, 1) | eval f3=mvindex(id, 2) | table f1 f2 f3
Here is a runanywhere example of how you can do this
| gentimes start=-1 | eval _raw="Security ID:Joseph Security ID:Admin Security ID:Lopes" | rex max_match=3 "ID:(?<id>\w+)" | nomv id | table id
If you wan them as separate fields you could do this
| gentimes start=-1 | eval _raw="Security ID:Joseph Security ID:Admin Security ID:Lopes" | rex max_match=3 "ID:(?<id>\w+)" | eval f1=mvindex(id, 0) | eval f2=mvindex(id, 1) | eval f3=mvindex(id, 2) | table f1 f2 f3
Is there a generic way to do without writing the values of the lines? I have a lot of event values in the same search.
Worked perfectly!
Thank you very much!
Hi @monteirolopes
Glad you were able to find a solution on Answers from @sundareshr 🙂 Please don't forget to resolve the post by clicking "Accept" directly below his answer. This will make it easier to find for other users with a similar issue. Thanks!
Not sure I understand. This is is runanywhere example. When you use it, you will ignore everthing before the rex
command. The rex is a generic regular expression that will extract as long as the field name ends with "ID:" and the values are single word values. If there could be more than 3 fields, you can change the max_match
to whatever number you think you need. Setting max_match
to 0 will yield unlimited matches in a single event.
As far as the mvindex
function is concerned, not sure there is a generic way to do that.