The search I am using is below and in the output for few I am getting 3 records in the filed manage. Please help me to write a rex to get only a single record where protocol:{name:ssh}
index="unicorn" |fillnull value="_" | search infrastructure{}.name="FRA-SGSS ZONE PARTENAIRE FRANCE" location.building="*" type.name="*" location.room="*" teamInCharge{}.name="*" |lookup Input_splunk_all.csv RTR as name |spath output=manage remoteManagement{} | table name manage
If you see the output below for the name PFSOFW401 and PFSOFW01, I am getting more than 1 line for the manage filed- there I need single record.
name manage
TIGSGSSFR01 {"id":12584,"protocol":{"name":"ssh"},"ip":"192.0.4.193","port":"22","additionalInformation":null,"plainTextURL":null,"login":"matricule SG","password":null,"device":3434}
TIG-DMZ-SGSSFR-S01 {"id":15320,"protocol":{"name":"ssh"},"ip":"192.0.4.171","port":"22","additionalInformation":null,"plainTextURL":null,"login":"matricule SG","password":null,"device":5164}
SOCGEN-SGSS-CLICHY {"id":43103,"protocol":{"name":"ssh"},"ip":"223.3.2.145","port":"22","additionalInformation":null,"plainTextURL":null,"login":"matricule SG","password":null,"device":22626}
SOCGEN-DMZ-TIGERY {"id":43101,"protocol":{"name":"ssh"},"ip":"223.3.2.143","port":"22","additionalInformation":null,"plainTextURL":null,"login":"matricule SG","password":null,"device":22624}
RT2821-LEV-MIN-A18 {"id":43102,"protocol":{"name":"ssh"},"ip":"192.168.1.37","port":"22","additionalInformation":null,"plainTextURL":null,"login":"matricule SG","password":null,"device":22625}
PFSOFW401
{"id":17899,"protocol":{"name":"console"},"ip":"172.16.16.210","port":"22","additionalInformation":null,"plainTextURL":null,"login":"pfsofw401","password":null,"device":7076}
{"id":17900,"protocol":{"name":"https"},"ip":"192.0.32.230","port":"443","additionalInformation":null,"plainTextURL":null,"login":"matricule SG","password":null,"device":7076}
{"id":17644,"protocol":{"name":"ssh"},"ip":"192.0.32.230","port":"22","additionalInformation":null,"plainTextURL":null,"login":"matricule SG","password":null,"device":7076}
PFSOFW01
{"id":17897,"protocol":{"name":"console"},"ip":"172.16.16.210","port":"22","additionalInformation":null,"plainTextURL":null,"login":"pfsofw01","password":null,"device":7077}
{"id":17898,"protocol":{"name":"https"},"ip":"192.0.4.41","port":"443","additionalInformation":null,"plainTextURL":null,"login":"matricule SG","password":null,"device":7077}
{"id":17645,"protocol":{"name":"ssh"},"ip":"192.0.4.41","port":"22","additionalInformation":null,"plainTextURL":null,"login":"matricule SG","password":null,"device":7077}
Thanks.
Not very clear on what the expected output is. If you want variable protocol to have value ssh, this should work.
|rex field=manage "\\?\"protocol\\?\"\:{\\?\"name\\?\"\:\\?\"(?<protocol>[^\\\"]+)"
Note: this rex accomodates for hidden backslash character. You can test your regular expressions here - regex101.com
Hope this helps
Cheers
EDIT: Based on the sample provided, here is the regex
| rex field=_raw "name\"\:\"(?<protocol>[^\"]+)"
| rename protocol as "protocol:name"
Not very clear on what the expected output is. If you want variable protocol to have value ssh, this should work.
|rex field=manage "\\?\"protocol\\?\"\:{\\?\"name\\?\"\:\\?\"(?<protocol>[^\\\"]+)"
Note: this rex accomodates for hidden backslash character. You can test your regular expressions here - regex101.com
Hope this helps
Cheers
EDIT: Based on the sample provided, here is the regex
| rex field=_raw "name\"\:\"(?<protocol>[^\"]+)"
| rename protocol as "protocol:name"
Yes @arjunpkishore5 ,
I want to get the protocol:name to have value ssh.
But thats not working. i tried the rex provided by you above but its getting nothing in protocol field.
my sample data is below:
{"id":17899,"protocol":{"name":"console"},"ip":"172.16.16.210","port":"22","additionalInformation":null,"plainTextURL":null,"login":"pfsofw401","password":null,"device":7076}
{"id":17900,"protocol":{"name":"https"},"ip":"192.0.32.230","port":"443","additionalInformation":null,"plainTextURL":null,"login":"matricule SG","password":null,"device":7076}
{"id":17644,"protocol":{"name":"ssh"},"ip":"192.0.32.230","port":"22","additionalInformation":null,"plainTextURL":null,"login":"matricule SG","password":null,"device":7076}
@surekhasplunk Updated my answer based on the sample data provided. Please give a try.
please give us some sample data
Hi @Sukisen1981 ,
sample data is my manage field.
I have pinged 1 row below also. :
{"id":17899,"protocol":{"name":"console"},"ip":"172.16.16.210","port":"22","additionalInformation":null,"plainTextURL":null,"login":"pfsofw401","password":null,"device":7076}
{"id":17900,"protocol":{"name":"https"},"ip":"192.0.32.230","port":"443","additionalInformation":null,"plainTextURL":null,"login":"matricule SG","password":null,"device":7076}
{"id":17644,"protocol":{"name":"ssh"},"ip":"192.0.32.230","port":"22","additionalInformation":null,"plainTextURL":null,"login":"matricule SG","password":null,"device":7076}