Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to extract all values for a single field using rex?

harshal_chakran
Builder
‎02-04-2015 07:50 AM

Hi,
I have a log file from which I am trying to extract a value of the specific term "Security ID".
My data is divided in two events, as follows:

EVENT 1:

waterfall:
    Security ID:     NULL SID
    Data Language:   -
    Data Syntax:     -
    Data ID:         0x0

Data Type:         3

New Interface:
    Security ID:     QWERTY\ts123654
    Data Language:   ts123654
    Data Syntax:     QWERTY
    Data ID:         0x17r2627u8
    Data GUID:     {00000000-0000-0000-0000-000000000000}

EVENT 2 :

waterfall:
    Security ID:      ASDFGH\ts654321
    Data Language:  ts654321
    Data Syntax:      ASDFGH
    Data ID:          0x17r2612323
    Data GUID:      {00000000-0000-0000-0000-000000000000}

I want to extract the values of the term "Security ID" from the logs. To display the data in following manner:

NULL SID
QWERTY\ts123654
ASDFGH\ts654321

I have used the field extractor utility of Splunk, but not able to capture all the Security ID's.
Please Help...!!!

Tags (2)
Reply

wpreston
Motivator
‎02-04-2015 07:55 AM

Try this to see if it works:

... search terms here ... | rex "Security\sID:\s(?<Security_ID>.*)\sData\sLanguage"

If so, you can add the regular expression into your props.conf file to extract the field automatically.

Reply

wpreston
Motivator
‎02-09-2015 04:46 AM

No problem, happy to help!

0 Karma
Reply

KindaWorking
Path Finder
‎02-04-2015 02:28 PM

There are a couple of things that will not work for this. I believe the regular expression you are looking for is something like:

Security\sID:\s+(?<SecurityID>.*)\n

There is quite a bit of whitespace between Security ID: and the data he is hoping to grab. The thing that I do not know how to do (and am super keen to know how it can be done) is how to extract multiple values of the same field from a single event.

0 Karma
Reply

wpreston
Motivator
‎02-05-2015 05:03 AM

Getting past the extra white space is easy enough with a slightly modified regex (the extra white space and current formatting of the events with line breaks was not in the original post).

To extract multiple values of the same field from a single event, you need to add your extraction to transforms.conf and add MV_ADD = True, then either create a new report stanza or add to an existing report stanza in props.conf for the host, source, or sourcetype that the field is associated with. For this example, I'll use a sourcetype of 'waterfall':

transforms.conf

[Security_ID_Extraction]
REGEX = Security\sID:\s+(?<SecurityID>.*)\n
MV_ADD = True

props.conf

[waterfall]
REPORT-waterfall_fields = Security_ID_Extraction
Reply

KindaWorking
Path Finder
‎02-05-2015 01:43 PM

Cool, thanks for that wpreston. I know I did not ask the question but I had the exact same question I was going to ask.

0 Karma
Reply
Get Updates on the Splunk Community!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...

Splunk APM: New Product Features + Community Office Hours Recap!

Howdy Splunk Community! Over the past few months, we’ve had a lot going on in the world of Splunk Application ...

Index This | Forward, I’m heavy; backward, I’m not. What am I?

April 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...