Hope this helps you more, and thank you again for your assistance. Or (I'll only show 1 here for the sake of brevity):Ĭategories="Online Document Sharing and Collaboration" How to use REX command to extract multiple fields in splunk I want to be able to extract multiple fields in splunk using rex, but I am only able to extract 3 fields, then it stops working. The same applies to the second example, here I will display them as if I clicked on the field in the event drop-down and selected "view events", this is what would be added to the search bar:Ĭategories="Software/Technology,Webmail,Business Services,Organizational Email,Application,Web-based Email,Online Document Sharing and Collaboration" Software/Technology,Application,Computers and Internet In the first example, I would want the values for the categories field to be as follows each line represents one complete field value as it would display in a search:Īlternatively, this would also suffice, which is the entire string exactly as it displays in the log: " 11:34:59","Charlie Five Five (A)","NOERROR","","Software/Technology,Webmail,Business Services,Organizational Email,Application,Web-based Email,Online Document Sharing and Collaboration","AD Users","AD Users,Networks,Anyconnect Roaming Client","" Here are some sanitized examples of logs: Thanks for the responses thus far, it is much appreciated. Has anyone else encountered this problem and if so, were you able to fix it and how? Otherwise I think I have to bring this to Splunk support. That field needs to be extracted and displayed exactly as it is shown, The regex I have attempted for this is as follows:Īlthough the field extractor, rex function, and regex101 like both of these extractions and they work exactly as expected, when I search I get each word from within the field as its own independent value, which is not what I need:Īt this point I'm out of ideas as to regex modifications or other work-arounds that can be applied to fix this. "Software/Technology,Business Services,Application,Business and Industry,Computers and Internet" To complicate matters, values that belong to a certain field can contain multiple words separated by other characters, such as "Software/Technology" or "Business and Industry" so that the entire field may look something like this: The raw logs are a list of quotes-encapsulated fields separated by commas:Ĭertain fields can have multiple values, wherein the values are separated only by a comma but quotes enclose only the entire list of fields. I am trying to get a field extraction working, and have written regex accordingly that the field extractor seems to like.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |