Splunk Search

Exttract the first value for multivalue field events

vrmandadi
Builder

Hey,

I have a sample event,which is a multivalue field,I want to extract Service ID and Ent_Provider Id from the type="startPlacement" .Since this is a multivalue field there are many type="startPlacement" ,but I want to extract the fields from the first type="startPlacement"

<ns2:Events>
         <ns2:PlacementStatusEvent type="startPlacement" time="2018-01-16T14:16:02.238-05:00" messageRef="eeac4616-7c69-4453-a66e-01e2d8726db7">
            <StatusCode class="0">
               <Note>SUCCEEDED</Note>
            </StatusCode>
            <ns2:Spot>
               <Tracking>sync-ADS}:{**iCTRL Lifestyle**#**foodnetwork.com**@{b}_t_125_1516130158263321007_5a54dba8000a94c6}:{01LC5SUJUJSTa8mReTByrtGQ</Tracking>
               <Content>
                  <AssetRef providerID="abc.com" assetID="DAMV8018010541107392" />
                  <Duration>PT30.000S</Duration>
                  <Tracking>tron-ADS}:{iCTRL Lifestyle#foodnetwork.com@{b}_t_125_1516130158263321007_5a54dba8000a94c6}:{01Uat1fEFCQKaxZmV1Cx72ig</Tracking>
               </Content>
               <ns2:SpotNPT scale="1">0.0</ns2:SpotNPT>
            </ns2:Spot>
         </ns2:PlacementStatusEvent>

Service_ID=iCTRL Lifestyle
Ent_Provider Id=foodnetwork.com

0 Karma

mayurr98
Super Champion

hey @vrmandadi

try this

index=<your_index> | rex field=_raw "<Tracking>sync-ADS}:{\*\*(?<Service_ID>[^\*]+)\*\*#\*\*(?<Ent_Provider_Id>[^\*]+)"

Now if you do not want to use this regex in search query and you want to extract this fields directly then do this
step1 :go to Fields » Field extractions » Add new
step2 : fill in the details Name: Service_and_provider_ID

apply to sourcetype: <put_your_sourcetype_on_which_you_want_toapply_this_regex>
Extraction/Transform : <Tracking>sync-ADS}:{\*\*(?<Service_ID>[^\*]+)\*\*#\*\*(?<Ent_Provider_Id>[^\*]+)
step3 : save

Then see extracted fields by entering index=<your_index> on your search bar

let me know if this helps !

0 Karma

vrmandadi
Builder

Hello @mayurr98

Thanks for the reply,I tried your rex in search ,I did not see the fields extracted.

0 Karma

mayurr98
Super Champion

hey sorry you need to escape special characters as well
try this instead

index=<your_index> | rex field=_raw "\<Tracking\>sync\-ADS\}\:\{\*\*(?<Service_ID>[^\*]+)\*\*\#\*\*(?<Ent_Provider_Id>[^\*]+)"

let me know if this helps !

0 Karma

horsefez
SplunkTrust
SplunkTrust

Hi,

how about using the following splunk command:

| rex max_match=1 field=<nameofyourmultivaluefield> "\<Tracking\>[^{]+\{(?<Service_ID>[^#]+)\#(?<Ent_Provider>[^@]+)"

P.S. max_match is by default set to 1, so that wouldn't be needed and is only here for better illustration

0 Karma

vrmandadi
Builder

Thank you for your response,how can I extract these fields into interesting fields like IFX,so that i dont need to use rex everytime

0 Karma

horsefez
SplunkTrust
SplunkTrust

Hi vrmandadi,
sadly I don't know what you mean by "IFX" or "interesting fields". Could you give me an example for that?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...