topic Can you help me with a regex expression(multiple in one query)? in Splunk Search https://community.splunk.com/t5/Splunk-Search/Can-you-help-me-with-a-regex-expression-multiple-in-one-query/m-p/398040#M115476 <P>Trying to capture multiple groups, basically after the colon</P> <PRE><CODE>MacAddress : 7A:AA:82:31:24:B1 Manufacturer : VENDOR Username : SC32131BN_user IPNET : 11.412.111. PasswordExpires : 11/24/2018 3:44:48 PM Version : CCCS - 1423209 PhysicalDriveSpace : 19.620432424279 TotalRAM : 3.84324242539 DHCPLeaseExpires : 20432424324215.000000-300 DHCPServer : 11.12.234.61 SID : S-1-5-21-432233414-414324275-1810497902-1001 </CODE></PRE> <P>The name would be the field on the left. </P> <P>I tried something like this: | rex "MacAddress\s+:\s(?P[^\n]<EM>) | Manufacturer\s+:\s)(?P[^\n]</EM>)" but it doesn't appear to be giving me anything.</P> Tue, 02 Oct 2018 20:57:53 GMT JoshuaJohn 2018-10-02T20:57:53Z Can you help me with a regex expression(multiple in one query)? https://community.splunk.com/t5/Splunk-Search/Can-you-help-me-with-a-regex-expression-multiple-in-one-query/m-p/398040#M115476 <P>Trying to capture multiple groups, basically after the colon</P> <PRE><CODE>MacAddress : 7A:AA:82:31:24:B1 Manufacturer : VENDOR Username : SC32131BN_user IPNET : 11.412.111. PasswordExpires : 11/24/2018 3:44:48 PM Version : CCCS - 1423209 PhysicalDriveSpace : 19.620432424279 TotalRAM : 3.84324242539 DHCPLeaseExpires : 20432424324215.000000-300 DHCPServer : 11.12.234.61 SID : S-1-5-21-432233414-414324275-1810497902-1001 </CODE></PRE> <P>The name would be the field on the left. </P> <P>I tried something like this: | rex "MacAddress\s+:\s(?P[^\n]<EM>) | Manufacturer\s+:\s)(?P[^\n]</EM>)" but it doesn't appear to be giving me anything.</P> Tue, 02 Oct 2018 20:57:53 GMT https://community.splunk.com/t5/Splunk-Search/Can-you-help-me-with-a-regex-expression-multiple-in-one-query/m-p/398040#M115476 JoshuaJohn 2018-10-02T20:57:53Z Re: Can you help me with a regex expression(multiple in one query)? https://community.splunk.com/t5/Splunk-Search/Can-you-help-me-with-a-regex-expression-multiple-in-one-query/m-p/398041#M115477 <P>Try this :<BR /> props.conf -</P> <PRE><CODE>[&lt;yoursourcetypename&gt;] REPORT-xmlext = xml-extr </CODE></PRE> <P>Transforms.conf -</P> <PRE><CODE>[xml-extr] REGEX =(\w+)\s*:\s([^\r\n]+) FORMAT = $1::$2 MV_ADD = true REPEAT_MATCH = true </CODE></PRE> <P>It will extract fields at index time</P> Wed, 03 Oct 2018 04:24:01 GMT https://community.splunk.com/t5/Splunk-Search/Can-you-help-me-with-a-regex-expression-multiple-in-one-query/m-p/398041#M115477 493669 2018-10-03T04:24:01Z Re: Can you help me with a regex expression(multiple in one query)? https://community.splunk.com/t5/Splunk-Search/Can-you-help-me-with-a-regex-expression-multiple-in-one-query/m-p/398042#M115478 <P>Unfortunately do not have access to edit props.conf</P> Wed, 03 Oct 2018 18:58:09 GMT https://community.splunk.com/t5/Splunk-Search/Can-you-help-me-with-a-regex-expression-multiple-in-one-query/m-p/398042#M115478 JoshuaJohn 2018-10-03T18:58:09Z Re: Can you help me with a regex expression(multiple in one query)? https://community.splunk.com/t5/Splunk-Search/Can-you-help-me-with-a-regex-expression-multiple-in-one-query/m-p/398043#M115479 <P>Hi,</P> <P>If this in only one event, like a multivalue field, I may have a solution for you :</P> <OL> <LI><P>Replace every <CODE>:</CODE> by <CODE>=</CODE><BR /> <CODE>| rex field=yourfield mode=sed "s/:/=/"</CODE></P></LI> <LI><P>Rename your field as <CODE>_raw</CODE><BR /> <CODE>|rename yourfield as _raw</CODE></P></LI> <LI><P>Use <CODE>KV</CODE> function<BR /> <CODE>| KV</CODE></P></LI> </OL> <HR /> <P>Edit :</P> <P>Working example :</P> <PRE><CODE>| makeresults | eval data="MacAddress : 7A:AA:82:31:24:B1,Manufacturer : VENDOR,Username : SC32131BN_user,IPNET : 11.412.111.,PasswordExpires : 11/24/2018 3:44:48 PM,Version : CCCS - 1423209,PhysicalDriveSpace : 19.620432424279,TotalRAM : 3.84324242539,DHCPLeaseExpires : 20432424324215.000000-300,DHCPServer : 11.12.234.61,SID : S-1-5-21-432233414-414324275-1810497902-1001" | eval data = split(data,",") | rex field=data mode=sed "s/:/=/" | rename data as _raw | KV </CODE></PRE> Wed, 03 Oct 2018 21:22:13 GMT https://community.splunk.com/t5/Splunk-Search/Can-you-help-me-with-a-regex-expression-multiple-in-one-query/m-p/398043#M115479 KailA 2018-10-03T21:22:13Z Re: Can you help me with a regex expression(multiple in one query)? https://community.splunk.com/t5/Splunk-Search/Can-you-help-me-with-a-regex-expression-multiple-in-one-query/m-p/398044#M115480 <P>then try this in query:</P> <PRE><CODE>...| extract kvdelim=":" pairdelim="\n" </CODE></PRE> Thu, 04 Oct 2018 03:55:01 GMT https://community.splunk.com/t5/Splunk-Search/Can-you-help-me-with-a-regex-expression-multiple-in-one-query/m-p/398044#M115480 493669 2018-10-04T03:55:01Z