topic How do I select first and second match as separate fields using Rex? in Splunk Search

How do I select first and second match as separate fields using Rex?

aherrington — Mon, 01 Oct 2018 09:45:12 GMT

Hello,

I have 1 field in Splunk which contains 2 short email headers in plain-text, for example:

 **From**: Me (me@me.com)
 **Sent**: 28 September 2018 17:42
 **To**: You (you@you.com)
 **Subject**: This is the first email

 **From**: Me (me@me.com)
 **Sent**: 28 September 2018 18:42
 **To**: You-aswell (you-aswell@you.com)
 **Subject**: This is the second email

 There is more text after the 2 short email headers.

I would like to use Rex to select the 2 Sent times, i.e:

rex field=output "Sent: (?<sent_time_1>.*)"

rex field=output "Sent: (?<sent_time_2>.*)"

How do I select in the rex function which match to select? As an FYI, there may be text before the headers so selecting the line number wouldn't be an option.

Thanks,

Re: How do I select first and second match as separate fields using Rex?

Sukisen1981 — Tue, 29 Sep 2020 21:24:58 GMT

why not just use something like this?
| rex field=output "Sent: (?.*)" max_match=0
This will give you both the matches in a multivalue value, if you need them as separate rows just append |mvexpand sent_time after the max_match=0

Re: How do I select first and second match as separate fields using Rex?

aherrington — Mon, 01 Oct 2018 12:18:08 GMT

Thanks for your answer, that works to get the result on different rows, however I need the result to be in separate fields.

Can this method be adapted for that?

Thanks,

Re: How do I select first and second match as separate fields using Rex?

darrenfuller — Tue, 29 Sep 2020 21:25:01 GMT

If it's always two, you could do this...,

| makeresults | eval output="From: Me (me@me.com)
Sent: 28 September 2018 17:42
To: You (you@you.com)
Subject: This is the first email

From: Me (me@me.com)
Sent: 28 September 2018 18:42
To: You-aswell (you-aswell@you.com)
Subject: This is the second email
There is more stuff after the email headers, so this here represents more stuff"
| rex field=output "**Sent**:\s(?\d+\s\w+\s\d+\s\d+:\d+)" max_match=0
| eval sent_time_1=mvindex(sent_time, 0)
| eval sent_time_2=mvindex(sent_time, 1)
| table output sent_time_1, sent_time_2

Re: How do I select first and second match as separate fields using Rex?

aherrington — Mon, 01 Oct 2018 15:15:23 GMT

That almost works, although I can't guarantee that there will always be 2, sometimes there will be 3 or 4. I need to make sure it only selects the first 2.

Re: How do I select first and second match as separate fields using Rex?

Sukisen1981 — Mon, 01 Oct 2018 16:35:47 GMT

Hi,
mvindex will still work, ref documentation here - http://docs.splunk.com/Documentation/Splunk/7.1.3/SearchReference/MultivalueEvalFunctions

As the documentation says, mvindex starts from 0 and as @darrenfuller has stated, irrespective of 3-4..n matches in your output field for the above rex, mvindex of 0 and 1 are going to fetch the 1st and 2nd fields respectively.
Can you please try and confirm?

Re: How do I select first and second match as separate fields using Rex?

aherrington — Tue, 02 Oct 2018 09:49:26 GMT

Hello, apologies it was an error from a different function that threw up the error. This worked perfectly, thank you for your help

Re: How do I select first and second match as separate fields using Rex?

RedStapler — Wed, 11 May 2022 01:02:31 GMT

This method worked for me on an Windows Event log where "Account Name:" appears twice on every event and I only wanted the 2nd name, not the first. The only oddity unresolved was when one of the two names were null in the event. There might be a way to fix that. Other than that, it worked.

index=* host=*servername* password EventCode=4625

| rex field=Message "Account Name:\s+(?<ACCOUNT_NAME>[^\r\n]+)" max_match=0

| eval Account_Name_1=mvindex(Account_Name, 0)

| eval Account_Name_2=mvindex(Account_Name, 1)

| table DomainController, Account_Name_2