Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Splunk Search
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Find the LAST instance of an extracted field
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jeremyhagand61
Communicator
09-12-2019
12:16 AM
I have event data which looks like this:
Sep 12 11:33:23 hostname AUDIT "2019-09-12 11:33:23.677 GMT+1000" 192.168.19.36 hostname:1812 0 1912 17771 "text=Access CHALLENGED 0x0: Success ,reason=0" Thread-6076 VSValidationEngine.c
Sep 12 11:33:53 hostname AUDIT "2019-09-12 11:33:53.848 GMT+1000" 192.168.19.36 hostname:1812 0 1912 17974 "text=Access CHALLENGED 0x0: Success ,reason=0" Thread-6076 VSValidationEngine.c
Sep 12 11:34:11 hostname AUDIT "2019-09-12 11:34:11.692 GMT+1000" 192.168.19.36 hostname:1812 0 1912 18175 "text=Access CHALLENGED 0x0: Success ,reason=0" Thread-6076 VSValidationEngine.c
Sep 12 14:34:22 hostname AUDIT "2019-09-12 14:34:22.210 GMT+1000" 192.168.19.36 hostname:1812 0 18870 20232 "text=Access DENIED Incorrect LDAP Password. ,reason=3; Incorrect LDAP Password." Thread-6076 VSValidationEngine.c
Sep 12 14:40:37 hostname AUDIT "2019-09-12 14:40:36.800 GMT+1000" 192.168.19.36 hostname:1812 0 1912 20499 "text=Access CHALLENGED 0x0: Success ,reason=0" Thread-6076 VSValidationEngine.c
I am grouping the events into a transaction based on the auto-extracted "thread" field. This makes these into 1 event. I am then extracting the results into a field called "result" using the following rex comannd:
rex field=text max_match=0 "Access\s(?<result>[A-Z]+)\s"
With the example event data above, I get a MV field with only 2 values. It seems to be deduping my match. I really want ALL the values and then am interested in putting the final value (index -1) into another field.
Any guidance on how to achieve this would be appreciated.
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
renjith_nair
Legend
09-12-2019
05:52 AM
@jeremyhagand61,
Try using the mvlist=true rendering option
Reference : Multivalue rendering options
mvlist
Syntax: mvlist= true | false | <field-list>
Description: Flag that controls how multivalued fields are processed. When set to mvlist=true, the multivalued fields in the transaction are a list of the original events ordered in arrival order. When set to mvlist=false, the multivalued fields in the transaction are a set of unique field values ordered alphabetically. If a comma or space delimited list of fields is provided, only those fields are rendered as lists.
Default: false
In your case, it would be
"your search"
|transaction thread mvlist=true
| rex field=text "Access\s(?<result>[A-Z]+)\s"
| eval new_field=mvindex(result,-1)
Happy Splunking!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
renjith_nair
Legend
09-12-2019
05:52 AM
@jeremyhagand61,
Try using the mvlist=true rendering option
Reference : Multivalue rendering options
mvlist
Syntax: mvlist= true | false | <field-list>
Description: Flag that controls how multivalued fields are processed. When set to mvlist=true, the multivalued fields in the transaction are a list of the original events ordered in arrival order. When set to mvlist=false, the multivalued fields in the transaction are a set of unique field values ordered alphabetically. If a comma or space delimited list of fields is provided, only those fields are rendered as lists.
Default: false
In your case, it would be
"your search"
|transaction thread mvlist=true
| rex field=text "Access\s(?<result>[A-Z]+)\s"
| eval new_field=mvindex(result,-1)
Happy Splunking!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jeremyhagand61
Communicator
09-12-2019
04:21 PM
Thanks, that worked. Makes a bit more work to collapse the other fields I am extracting, but I managed to get what I needed.
Get Updates on the Splunk Community!
Introducing Splunk Enterprise 9.2
WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...
Adoption of RUM and APM at Splunk
Unleash the power of Splunk Observability
Watch Now
In this can't miss Tech Talk! The Splunk Growth ...
Routing logs with Splunk OTel Collector for Kubernetes
The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...
