topic Re: How to rex multiple lines in Splunk Search

How to rex multiple lines

garujoey — Thu, 10 May 2018 10:39:57 GMT

Hi there,

I am a newbie in Splunk and trying to do some search using the rex.

The log body is like:

blah blah
Dest : aaa
blah blah
Dest: bbb
blah blah
Dest: ccc

I searched online and used some command like ' rex field=_raw "(?s)Dest : (?.*)" ' or (?smi), but it wasn't what I wanted.

I need the output to only get the table like
aaa
bbb
ccc

Is there any way to do that?

Thank you very much in advance!
:)

Re: How to rex multiple lines

woodcock — Thu, 10 May 2018 14:19:02 GMT

Like this:

| rex max_match=0 "(?ms)\s+Dest:\s+(?<Dest>\S+)"
| stats values(Dest) AS Dests

Re: How to rex multiple lines

jimodonald — Thu, 10 May 2018 14:25:19 GMT

Try this:

|  rex field=_raw "Dest\s*:\s(?P<myfield>.*)"

Re: How to rex multiple lines

davey1985 — Thu, 10 May 2018 15:02:42 GMT

To get it into a table on its own it would be:

| rex "Dest:\s+(?<Data>.*)"
| table Data

Re: How to rex multiple lines

davey1985 — Thu, 10 May 2018 15:22:02 GMT

+1 i misinterpretted. max_match=0 would get multiple results

Re: How to rex multiple lines

woodcock — Thu, 10 May 2018 17:29:17 GMT

That is the whole point, is it not?

Re: How to rex multiple lines

garujoey — Tue, 29 Sep 2020 19:31:02 GMT

Thanks woodcock, I used "| rex max_match=0 field=_raw "(?)Dest : (?.*)" | table path" in the end, but your suggestion to use "max_match=0" really helps!