Preserving dual values for a field in parser function extract mode.

Eugene Katz

i am using parser function in extract mode for a key value pair data source. What I noticed is that, some of the events have two values for the same field `rule_uid = "1234556" | rule_uid = "78938794"` . Cribl seem to be keeping the second value for rule_uid field. What is a right way to preseve both the values for a field? I wonder if parser is the right choice for this.

David Maislin

Parser keeps the last value found

David Maislin

You could use Regex which would extract an array of matches.

Eugene Katz

okay, let me try that

Eugene Katz

Thank you David

Eugene Katz

<@U01C35EMQ01&gt; were you suggesting to use Type = Regular expression in the parser function?

David Maislin

No, using the Regular Expression Function

Eugene Katz

ok

David Maislin

We have name value support to auto create keys from the values.

Eugene Katz

i was testing out the regular expression Type in parser and that seem to be working out as well

David Maislin

There is no RegEx type I am aware of in the Parser Function?

David Maislin

If you are referring to JSON, then you will also lose key values as you saw when the key is the same.

Eugene Katz

0

Eugene Katz

i was talking about this

David Maislin

Ah, that is the new 4.1 enhancement to Parser right?

Eugene Katz

Not sure when this was released, very useful though!

David Maislin

It is basically the Regex Function inside the Parser function right?

Eugene Katz

yea, looks like that way

David Maislin

Did you still need help with that?

Eugene Katz

I am good now. Thanks for your help!