topic Re: Field Extraction - Multi Line Text Comma Separated in Splunk Search

Field Extraction - Multi Line Text Comma Separated

Razziq — Thu, 24 Jun 2021 17:48:22 GMT

Hello,

Hoping someone can help with a Field Extraction question regarding multi line text and capturing a specific value before a comma for each line.

The text example is below where I am trying to get the Tagname for each line, but the Field Extraction is only applying to the first line. Testing in Rubular or Regex101 and it works fine.

Tag: Tagname,Date,Value
Tag: Tagname1,Date1,Value1
Tag: Tagname2,Date2,Value2
Tag: Tagname3,Date3,Value3
Tag: Tagname4,Date4,Value4
Tag: Tagname5,Date5,Value5

I've tried :

Tag:\s(?<Tag>.+?),

(?ms)Tag:\s (?<Tag>.+?),

(?m)Tag: \s(?<Tag>.+?),

As well as a few others, but all seem to stop after the first capture. Any help would be appreciated, thanks!

Re: Field Extraction - Multi Line Text Comma Separated

Razziq — Thu, 24 Jun 2021 21:26:08 GMT

Never mind - I was able to get it working via the following in a search instead:

| rex max_match=0 field=_raw "(?ms)Tag:\s(?<Tag>.+?),"

Re: Field Extraction - Multi Line Text Comma Separated

richgalloway — Thu, 24 Jun 2021 21:48:42 GMT

The default behavior is to extract only the first match. To get more matches, use the max_match=0 option of rex in SPL, the MV_ADD attribute at search time, or the REPEAT_MATCH attribute at index time.