- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: how to extract multiple strings from multiple ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a logline that is extracted in multiple fields already. 1 of those fields contain multiple strings on different lines.
I would like to extract certain strings from these lines, and add them to a single field.
example log:
source=10.0.0.1
destination=10.0.0.2
action=deny
extra=rule number 1
xlated_source:192.168.0.1
xlated_destination:10.0.0.2
source_info:the source is part of group /source/network/LAN
source_info:the source is part of group /source/network/LAN-Tulsa
source_info:the source is part of group /source/network/LAN-printers
dest_info:the destination is part of group /destination/network/LAN
dest_info:the destination is part of group /destination/network/LAN-DC
as a result I would like to have the following new fields extracted from the "extra" field:
network-srcinfo=LAN,LAN-Tulsa,LAN-printers
network-dstinfo=LAN,LAN-DC
when I do a:
| rex field=_raw "/source/network/(?\.*)"
I only get:
network-srcinfo=LAN
I'm quite new to splunk, and I can't seem to find an answer to this.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try something like this:
| rex max_match=0 field=_raw "\/source\/network\/(?<network-srcinfo>.*)" | table network-srcinfo
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try something like this:
| rex max_match=0 field=_raw "\/source\/network\/(?<network-srcinfo>.*)" | table network-srcinfo
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you! that fixed my issue.
Of course, now a new one popped up. It seems that within the logs, things are not as consistent as I thought.
so it can indeed show up as:
source_info:the source is part of group /source/network/LAN
source_info:the source is part of group /source/network/LAN-Tulsa
source_info:the source is part of group /source/network/LAN-printers
but also in other combinations:
source_info:the source is part of group /source/network/LAN-Tulsa
source_info:the source is part of group /source/network/LAN
source_info:the source is part of group /source/network/LAN-printers
is there a way to do an alphabetical sort within the network-srcinfo field?
otherwise the results would be that "LAN, LAN-Tulsa, LAN-printers" is seen as different than "LAN-Tulsa, LAN, LAN-printers" while in essence, this is not the case
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
add a | sort network-srcinfo at the end
Detecting Remote Code Executions With the Splunk Threat Research Team
Enter the Splunk Community Dashboard Challenge for Your Chance to Win!
.conf24 | Session Scheduler is Live!!
