I have event data which looks like this:
Sep 12 11:33:23 hostname AUDIT "2019-09-12 11:33:23.677 GMT+1000" 192.168.19.36 hostname:1812 0 1912 17771 "text=Access CHALLENGED 0x0: Success ,reason=0" Thread-6076 VSValidationEngine.c
Sep 12 11:33:53 hostname AUDIT "2019-09-12 11:33:53.848 GMT+1000" 192.168.19.36 hostname:1812 0 1912 17974 "text=Access CHALLENGED 0x0: Success ,reason=0" Thread-6076 VSValidationEngine.c
Sep 12 11:34:11 hostname AUDIT "2019-09-12 11:34:11.692 GMT+1000" 192.168.19.36 hostname:1812 0 1912 18175 "text=Access CHALLENGED 0x0: Success ,reason=0" Thread-6076 VSValidationEngine.c
Sep 12 14:34:22 hostname AUDIT "2019-09-12 14:34:22.210 GMT+1000" 192.168.19.36 hostname:1812 0 18870 20232 "text=Access DENIED Incorrect LDAP Password. ,reason=3; Incorrect LDAP Password." Thread-6076 VSValidationEngine.c
Sep 12 14:40:37 hostname AUDIT "2019-09-12 14:40:36.800 GMT+1000" 192.168.19.36 hostname:1812 0 1912 20499 "text=Access CHALLENGED 0x0: Success ,reason=0" Thread-6076 VSValidationEngine.c
I am grouping the events into a transaction based on the auto-extracted "thread" field. This makes these into 1 event. I am then extracting the results into a field called "result" using the following rex comannd:
rex field=text max_match=0 "Access\s(?[A-Z]+)\s"
With the example event data above, I get a MV field with only 2 values. It seems to be deduping my match. I really want ALL the values and then am interested in putting the final value (index -1) into another field.
Any guidance on how to achieve this would be appreciated.
↧