Extraction of multiple events from a single variab...

rturk · ‎04-11-2012

Hi Splunkers 🙂

I have some variable length NAT translation events in the following format:

Apr 12 11:42:23 1.2.3.4 AppDirector: client-IP src-port dst-IP dst-port client-type server-IP server-port nat-IP nat-port start end|xxx.xxx.xxx.xxx 33791 yyy.yyy.yyy.yyy 6443 DY zzz.zzz.zzz.zzz 6443 0.0.0.0 0 12/04/2012-12:36:10 12/04/2012-12:37:11
Apr 12 11:39:28 1.2.3.4 AppDirector: client-IP src-port dst-IP dst-port client-type server-IP server-port nat-IP nat-port start end|xxx.xxx.xxx.xxx 13518 yyy.yyy.yyy.yyy 443 DY zzz.zzz.zzz.zzz 8083 0.0.0.0 0 12/04/2012-12:34:15 12/04/2012-12:34:15|xxx.xxx.xxx.xxx 11333 yyy.yyy.yyy.yyy 443 DY zzz.zzz.zzz.zzz 8083 0.0.0.0 0 12/04/2012-12:34:15 12/04/2012-12:34:16

Each distinct translation is separated by a pipe command.

What is the best way of extracting (potentially) multiple events from a single line? I'm assuming this is possible?

Many thanks 🙂

woodcock · ‎07-05-2015

You can do it like this:

| rex "^[\|]+\|(?<MVevents>.*)$" | makemv delim="|" MVevents

You now have a multi-value field with all of your events as a separate value within that field. From here you can use mvindex to get at each one or mvexpand to create individual events; there are other mv commands, too.

Extraction of multiple events from a single variable length event

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...