Parse multi on more than one field



  • Avatar
    Nathan Beltran


    Here is one way to do it without using parse multi. The only gotcha is that you will have to create a parse statement for each set of arrays. For example, the parse statement below will parse on the arrays with 4,5 and 6 numerical fields.


    | parse regex "riskTuples\":\":-(?<t1>\d+)-(?<t2>\d+)-(?<t3>\d+)-(?<t4>\d+)-(?<t5>\d+)-(?<t6>\d+)\",\"riskScores\":\":-(?<r1>\d+)-(?<r2>\d+)-(?<r3>\d+)-(?<r4>\d+)-(?<r5>\d+)-(?<r6>\d+)\"" nodrop

    | parse regex "riskTuples\":\":-(?<t1>\d+)-(?<t2>\d+)-(?<t3>\d+)-(?<t4>\d+)-(?<t5>\d+)\",\"riskScores\":\":-(?<r1>\d+)-(?<r2>\d+)-(?<r3>\d+)-(?<r4>\d+)-(?<r5>\d+)\"" nodrop

    | parse regex "riskTuples\":\":-(?<t1>\d+)-(?<t2>\d+)-(?<t3>\d+)-(?<t4>\d+)\",\"riskScores\":\":-(?<r1>\d+)-(?<r2>\d+)-(?<r3>\d+)-(?<r4>\d+)\"" nodrop

    | concat("tuples = ", t1," ","score=", r1) as newfield1

    | concat("tuples = ", t2," ","score=", r2) as newfield2

    | concat("tuples = ", t3," ","score=", r3) as newfield3

    | concat("tuples = ", t4," ","score=", r4) as newfield4

    | concat("tuples = ", t5," ","score=", r5) as newfield5

    | concat("tuples = ", t6," ","score=", r6) as newfield6

    | fields newfield1,newfield2,newfield3, newfield4 ,newfield5,newfield6

  • Avatar
    Nathan Beltran


    Here is a better alternative. Using parse with the multi option.

    | json field=_raw "waf.riskTuples" as t
    | json field=_raw "waf.riskScores" as r
    | parse regex field= t "-(?<t1>\d+)" multi
    | parse regex field= r "-(?<r1>\d+)" multi
    | concat("tuples = ", t1," ","score=", r1) as newfield
    | fields newfield

Please sign in to leave a comment.