Hi Splunkers 🙂
I have some variable length NAT translation events in the following format:
Apr 12 11:42:23 1.2.3.4 AppDirector: client-IP src-port dst-IP dst-port client-type server-IP server-port nat-IP nat-port start end|xxx.xxx.xxx.xxx 33791 yyy.yyy.yyy.yyy 6443 DY zzz.zzz.zzz.zzz 6443 0.0.0.0 0 12/04/2012-12:36:10 12/04/2012-12:37:11
Apr 12 11:39:28 1.2.3.4 AppDirector: client-IP src-port dst-IP dst-port client-type server-IP server-port nat-IP nat-port start end|xxx.xxx.xxx.xxx 13518 yyy.yyy.yyy.yyy 443 DY zzz.zzz.zzz.zzz 8083 0.0.0.0 0 12/04/2012-12:34:15 12/04/2012-12:34:15|xxx.xxx.xxx.xxx 11333 yyy.yyy.yyy.yyy 443 DY zzz.zzz.zzz.zzz 8083 0.0.0.0 0 12/04/2012-12:34:15 12/04/2012-12:34:16
Each distinct translation is separated by a pipe command.
What is the best way of extracting (potentially) multiple events from a single line? I'm assuming this is possible?
Many thanks 🙂
You can do it like this:
| rex "^[\|]+\|(?<MVevents>.*)$" | makemv delim="|" MVevents
You now have a multi-value field
with all of your events as a separate value within that field. From here you can use mvindex
to get at each one or mvexpand
to create individual events; there are other mv
commands, too.