topic Re: How to create a regular expression on a multivalue field in Splunk Search

How to create a regular expression on a multivalue field

jlkokko — Wed, 08 Mar 2017 15:38:36 GMT

I have a multivalue (MV) field "filetypes" with values such as:

test/Makefile.am,test/och_test.cc,test/fully1.py,24,FKP/pro.pl

I need to keep only the extension listed (such as am, cc, py, pl, etc..) so I have two questions:

A. The appropriate regular expression
B. Is it more appropriate to run a regex prior splitting a MV field or after?

Re: How to create a regular expression on a multivalue field

somesoni2 — Wed, 08 Mar 2017 16:04:14 GMT

Try like this. It'll create a new field with just the extn.

your base search with file filetype
| rex field=filetypes max_match=0 "(?<extns>\.\w+)"

Re: How to create a regular expression on a multivalue field

woodcock — Wed, 08 Mar 2017 18:03:08 GMT

Like this:

... | mvexpand filetypes | rex field=filetypes "^(?<file_prefix>.+)\.(?<file_suffix>[^\.]+)$"

Re: How to create a regular expression on a multivalue field

jlkokko — Wed, 08 Mar 2017 18:27:44 GMT

Both of the above worked well...wondering if one less expensive than the other

Re: How to create a regular expression on a multivalue field

woodcock — Wed, 08 Mar 2017 18:37:06 GMT

Mine was geared towards enabling the later commands that you will surely be interested in doing. You can look at the Job Inspector to compare efficiencies.