topic Re: Need help in writing regex (PCRE) in Splunk Search

Need help in writing regex (PCRE)

pal_sumit1 — Thu, 24 Oct 2019 10:01:50 GMT

HI All,

We have events where some fields are having multiple value , below is the example

event1 :
123,s@gmail.com,abc
here
id = 123
email = s@gmail.com
name = abc

Event2 :
124,g@gmail.com,f@gmail.com,bcd

Here
id = 124
email = g@gmail.com,f@gmail.com
name = bcd
So the email field is not fixed it may have multiple values separated by commas , I need help in writing regex(pcre) for these types of data .

Thanks In advance

Re: Need help in writing regex (PCRE)

gcusello — Thu, 24 Oct 2019 10:26:05 GMT

Hi pal_sumit1,
if you have only three fields with the possibility that the second one (email) could have more values, or, in a more general use case, you have only one field that could have more than values and this field is an email, you could use three different regexes for the three fields:

| rex "^(?<id>[^,]*),"

that you can test at https://regex101.com/r/MtUP2K/1

| rex max_match=100 ",(?<email>[^@]*@[^,]*),"

that you can test at https://regex101.com/r/MtUP2K/2

| rex ".*,(?<name>.*)$"

that you can test at https://regex101.com/r/MtUP2K/3

Ciao.
Giuseppe

Re: Need help in writing regex (PCRE)

pal_sumit1 — Thu, 24 Oct 2019 11:02:36 GMT

Hi gcusello,

The no. of fields are more than 30 .. the above regex will not work for that many fields and I need to add this regex in props.conf

Re: Need help in writing regex (PCRE)

gcusello — Thu, 24 Oct 2019 11:33:00 GMT

Hi pal_sumit1,
The no of fields isn't a problem for this approach, the mandatory rules are:

there's only one field with multivalue,
this field has an identifiable and unic (in your logs) format (like email) so it's possible to indentify multiple values.

Anyway you can put them in props.conf, otherwise (as a workaround) you can put in props all the other fields and use rex command only for the multivalue field.

Ciao.
Giuseppe