topic Re: Retrieve value of second matching word in Splunk Search

How retrieve value of second matching word?

Aks_PC_20 — Thu, 28 Apr 2022 18:03:39 GMT

In a log if there are two similar words with different value , how to retrieve value of second word using regex ?

Example: "Display details of value =abc and value=def for id=1". how to display value "def" ?

index=* "Letters" |rex field=_raw max_match=0 "value=?(?<value2>[^\n]*)" |stats values(value2) as letter by id

Above query returns

1 "abc and value=def"

Re: Retrieve value of second matching word

richgalloway — Thu, 28 Apr 2022 00:27:13 GMT

When rex finds more than one match it puts them all into a multi-valued field. Use the mv* functions to manipulate them. In this case, get the second word using mvindex.

| eval secondWord = mvindex(value2, 1)

Re: Retrieve value of second matching word

PickleRick — Thu, 28 Apr 2022 06:43:50 GMT

Also, remeber that by default regexes are relatively greedy (they match as much as theu can) so if you don't specify any boundaries to matching withinyour regex, you'll have a runaway one. So, for example,

value=(?<value>.*)

will match the event

value=1, value=2, value=3

and will extract "value" field from the "1" up to the end of the string.

If you matched only

value=(?<value>\d+)

you'd get separate matches for each value

Re: Retrieve value of second matching word

VatsalJagani — Thu, 28 Apr 2022 05:00:56 GMT

@Aks_PC_20 - Try this query:

index=* "Letters" | rex field=_raw max_match=0 "value=(?<value>[\S]+)" | stats list(value) as letter by id | eval letter=mvindex(letter,1)

Please let me know if this works. Also please validate that this query works for all your examples, if not provide samples for which it does not work.

I hope this works!!

Re: Retrieve value of second matching word

Aks_PC_20 — Thu, 28 Apr 2022 16:49:55 GMT

This works but if the value is displayed as value="data need to be

displayed here "

here the value will be displayed only up to "data need to be " and not the complete string which is in next line.

Re: Retrieve value of second matching word

VatsalJagani — Thu, 28 Apr 2022 17:40:30 GMT

@Aks_PC_20 - If your format is fixed like:

Display details of value=abc and value=def for id=1

Format: <some text> value=<value-1> and value=<value-2> for id=<id>

Then you can use this:

index=* "Letters" | rex field=_raw max_match=0 "value=(?<value1>.+)\s+and\s+value=(?<value2>.+)\s+for\s+id=" | stats latest(value2) as letter by id

But to extract the proper value and to write the proper regex you first need to define the format of the events in order to know where the value is starting and ending.

I hope this helps!!!

Re: Retrieve value of second matching word

Aks_PC_20 — Thu, 28 Apr 2022 18:29:32 GMT

The value of value2 field is dynamic , each event will have different value. First query you mentioned worked but only thing is it consider the value only upto the end of line but does not consider the value which is continued in next line

Re: Retrieve value of second matching word

VatsalJagani — Fri, 29 Apr 2022 06:01:23 GMT

@Aks_PC_20 - So does that mean in your example?

* value1="abc"

* value2="def for id=1"

(because you mentioned value2 is till the end of the line.)

If this is correct then you can use:

index=* "Letters" | rex field=_raw max_match=0 "value=(?<value1>.+)\s+and\s+value=(?<value2>[^\n\r]+)" | stats latest(value2) as letter by id

I hope this helps!!! Upvote/Karma would be appreciated!!!