https://community.splunk.com/t5/Splunk-Search/How-do-I-capture-the-repeating-pattern-on-multiple-lines-with/m-p/428563#M122601 <P>"This is close.. although it takes all the ZoneVal &amp; lops them into the same field value. I need them to be different values. </P> <P>after rethinking it, broke into 2 rex's. </P> <P>| rex "zone:\s+(?\S+)"<BR /> | rex max_match=0 "(?\S\S:\S\S:\S\S:\S\S:\S\S:\S\S:\S\S:\S\S)"</P> <P>That nailed it... although dang it! my first attempt should have worked! <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span> "</P> Tue, 28 Aug 2018 17:05:37 GMT clintla 2018-08-28T17:05:37Z https://community.splunk.com/t5/Splunk-Search/How-do-I-capture-the-repeating-pattern-on-multiple-lines-with/m-p/428560#M122598 <P>With this dataset, the linebreaker is zone:</P> <PRE><CODE> zone: zone_1wwns 00:00:00:00:00:00:00:01 zone: zone_2wwns 00:00:00:00:00:00:00:02 00:00:00:00:00:00:00:03 zone: zone_3wwns 00:00:00:00:00:00:00:04 00:00:00:00:00:00:00:05 00:00:00:00:00:00:00:06 </CODE></PRE> <P>When I use the regex:</P> <PRE><CODE>| rex max_match=0 "zone:\s+(?\w+)((\s+(?\S\S\:\S\S\:\S\S\:\S\S\:\S\S\:\S\S\:\S\S\:\S\S))+)" </CODE></PRE> <P>It captures the last wwn, when I remove the (+) at the end, then it captures the first wwn</P> <P>When I do this search w/ Notepad++ it finds all wwns (my most used tool for testing rex). Seems like this should work. <BR /> Is there another way to capture these possible extra lines?</P> Tue, 28 Aug 2018 14:30:10 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-capture-the-repeating-pattern-on-multiple-lines-with/m-p/428560#M122598 clintla 2018-08-28T14:30:10Z https://community.splunk.com/t5/Splunk-Search/How-do-I-capture-the-repeating-pattern-on-multiple-lines-with/m-p/428561#M122599 <P>Notepad++ is great, but I believe it does not use a Perl-compatible regex engine (PCRE) like Splunk does. Most folks here use regex101.com to test their regular expressions.</P> Tue, 28 Aug 2018 14:39:38 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-capture-the-repeating-pattern-on-multiple-lines-with/m-p/428561#M122599 richgalloway 2018-08-28T14:39:38Z https://community.splunk.com/t5/Splunk-Search/How-do-I-capture-the-repeating-pattern-on-multiple-lines-with/m-p/428562#M122600 <P>Give this a try (runanywhere sample, everything before rex command is to generate sample data)</P> <PRE><CODE>| gentimes start=-1 | eval raw="zone: zone_1wwns 00:00:00:00:00:00:00:01 ##zone: zone_2wwns 00:00:00:00:00:00:00:02 00:00:00:00:00:00:00:03 ##zone: zone_3wwns 00:00:00:00:00:00:00:04 00:00:00:00:00:00:00:05 00:00:00:00:00:00:00:06" | table raw | makemv raw delim="##" | mvexpand raw | rex field=raw max_match=0 "zone:\s+(?&lt;zone&gt;\w+)[\r\n\s](?&lt;ZoneVal&gt;\s*((\d{2}\:)+\d+[\r\n\s]*)+)" </CODE></PRE> Tue, 28 Aug 2018 15:26:14 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-capture-the-repeating-pattern-on-multiple-lines-with/m-p/428562#M122600 somesoni2 2018-08-28T15:26:14Z https://community.splunk.com/t5/Splunk-Search/How-do-I-capture-the-repeating-pattern-on-multiple-lines-with/m-p/428563#M122601 <P>"This is close.. although it takes all the ZoneVal &amp; lops them into the same field value. I need them to be different values. </P> <P>after rethinking it, broke into 2 rex's. </P> <P>| rex "zone:\s+(?\S+)"<BR /> | rex max_match=0 "(?\S\S:\S\S:\S\S:\S\S:\S\S:\S\S:\S\S:\S\S)"</P> <P>That nailed it... although dang it! my first attempt should have worked! <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span> "</P> Tue, 28 Aug 2018 17:05:37 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-capture-the-repeating-pattern-on-multiple-lines-with/m-p/428563#M122601 clintla 2018-08-28T17:05:37Z