https://community.splunk.com/t5/Getting-Data-In/Help-with-regex-to-parse-the-snmp-inputs/m-p/491971#M84095 <P><CODE>mvexpand</CODE> gives you a different event for each value in a multi-value field. Using <CODE>mvindex</CODE> keeps all of the fields associated with the same event.</P> Wed, 02 Oct 2019 12:57:52 GMT richgalloway 2019-10-02T12:57:52Z https://community.splunk.com/t5/Getting-Data-In/Help-with-regex-to-parse-the-snmp-inputs/m-p/491968#M84092 <P>Hi All,</P> <P>Can someone help me to parse the fields either at indexing or through searches? Splunk detects the default fields as enterprises.48099.1.1.1/enterprises.48099.1.1.2 etc., . but we only need the value inside the quotations like below.</P> <P>enterprises.48099.1.1.2 = STRING: "Monitoring error (SQL Server data collection)". But we need field as below:</P> <P>field1 = Monitoring error (SQL Server data collection) </P> <P>Sample Data:</P> <PRE><CODE>2019-10-01 21:05:24 monspk-sqlmon-01.local [UDP: [111.12.171.01]:64274-&gt;[111.12.171.55]:162]: DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (0) 0:00:00.00 SNMPv2-MIB::snmpTrapOID.0 = OID: SNMPv2-SMI::enterprises.48099.1.1 SNMPv2-SMI::enterprises.48099.1.1.1 = STRING: "2360689" SNMPv2-SMI::enterprises.48099.1.1.2 = STRING: "Monitoring error (SQL Server data collection)" SNMPv2-SMI::enterprises.48099.1.1.3 = STRING: "SQL Monitor cannot collect data from the SQL Server instance." SNMPv2-SMI::enterprises.48099.1.1.4 = STRING: "2019-10-01 19:05:00Z" SNMPv2-SMI::enterprises.48099.1.1.5 = STRING: "Low" SNMPv2-SMI::enterprises.48099.1.1.6 = STRING: "monspk-sql8-bi01" SNMPv2-SMI::enterprises.48099.1.1.7 = STRING: "https://monspk-sqlmon-01.local:8443/show/alert/2360689?baseMonitorId=288e5411-856f-4661-97c1-3c6cc8b5d16c" SNMPv2-SMI::enterprises.48099.1.1.8 = STRING: "Raised" SNMPv2-SMI::enterprises.48099.1.1.9 = "" SNMPv2-SMI::enterprises.48099.1.1.10 = "" SNMPv2-SMI::enterprises.48099.1.1.11 = STRING: "monspk-sql8-clust.local" SNMPv2-SMI::enterprises.48099.1.1.12 = STRING: "monspk-SQL8-CLUST - SQL Alert" </CODE></PRE> <P>Can someone please help with this to parse at indexing or through rex.</P> <P>Thanks!</P> Tue, 01 Oct 2019 19:29:58 GMT https://community.splunk.com/t5/Getting-Data-In/Help-with-regex-to-parse-the-snmp-inputs/m-p/491968#M84092 mallempati 2019-10-01T19:29:58Z https://community.splunk.com/t5/Getting-Data-In/Help-with-regex-to-parse-the-snmp-inputs/m-p/491969#M84093 <P>Here's one way. Since all of the strings you want to extract have no unique identifier, this <CODE>rex</CODE> command will pull them all into a multivalue field called 'fields'. Then you can use <CODE>mvindex</CODE> to access the individual fields.</P> <PRE><CODE>... | rex max_match=0 "STRING:\s\"(?&lt;fields&gt;[^\"]+)" | eval field1=mvindex(fields,0), field2=mvindex(fields, 1) ... </CODE></PRE> Tue, 01 Oct 2019 20:46:26 GMT https://community.splunk.com/t5/Getting-Data-In/Help-with-regex-to-parse-the-snmp-inputs/m-p/491969#M84093 richgalloway 2019-10-01T20:46:26Z https://community.splunk.com/t5/Getting-Data-In/Help-with-regex-to-parse-the-snmp-inputs/m-p/491970#M84094 <P>Hi @richgalloway,</P> <P>Is there a specific reason you wouldn't use <CODE>mvexpand</CODE>? Just curious.</P> <P>Cheers,<BR /> Jacob</P> Tue, 01 Oct 2019 20:57:08 GMT https://community.splunk.com/t5/Getting-Data-In/Help-with-regex-to-parse-the-snmp-inputs/m-p/491970#M84094 jacobpevans 2019-10-01T20:57:08Z https://community.splunk.com/t5/Getting-Data-In/Help-with-regex-to-parse-the-snmp-inputs/m-p/491971#M84095 <P><CODE>mvexpand</CODE> gives you a different event for each value in a multi-value field. Using <CODE>mvindex</CODE> keeps all of the fields associated with the same event.</P> Wed, 02 Oct 2019 12:57:52 GMT https://community.splunk.com/t5/Getting-Data-In/Help-with-regex-to-parse-the-snmp-inputs/m-p/491971#M84095 richgalloway 2019-10-02T12:57:52Z