topic Re: Capturing Multiple values in single group via regex in Splunk Search

How to capture Multiple values in single group via regex?

abhishekbhasin — Fri, 09 Sep 2022 01:29:34 GMT

Need to extract P302 P1 P2 with a single regular ex I build (?<Par>P[1-9][0-9]*) but when I run this in splunk it only captures first (P302)

[SearchBroker - XXX] - [submitSearch] INFO: XXX [] - submitSearch time=36 pTime={P302=11,P1=7,P301=13,P2=24,P3=23,P4=31,P5=25,P6=23,P300=13,P7=23,P8=24,P9=24,P10=21,P12=24,P11=23,P1000=1,P14=26,P13=24,P16=21,P15=20,P18=20,P17=23} pProcessTime={P302p=10,P1p=6,P301p=12,P2p=23,P3p=22,P4p=30,P5p=24,P6p=23,P300p=13,P7p=23,P8p=24,P9p=24,P10p=21,P12p=23,P11p=22,P1000p=0,P14p=26,P13p=23,P16p=20,P15p=20,P18p=20,P17p=23} pWaitTime=

Re: Capturing Multiple values in single group via regex

ITWhisperer — Thu, 08 Sep 2022 18:34:42 GMT

| rex max_match=3 ...

Re: Capturing Multiple values in single group via regex

abhishekbhasin — Thu, 08 Sep 2022 18:50:55 GMT

Full syntax please rex max_match=3 ... (?<Par>P[1-9][0-9]*) doesn't work

Re: Capturing Multiple values in single group via regex

yuanliu — Thu, 08 Sep 2022 20:45:32 GMT

Can you explain "doesn't work?" This is a test:

| makeresults | eval _raw = " [SearchBroker - XXX] - [submitSearch] INFO: XXX [] - submitSearch time=36 pTime={P302=11,P1=7,P301=13,P2=24,P3=23,P4=31,P5=25,P6=23,P300=13,P7=23,P8=24,P9=24,P10=21,P12=24,P11=23,P1000=1,P14=26,P13=24,P16=21,P15=20,P18=20,P17=23} pProcessTime={P302p=10,P1p=6,P301p=12,P2p=23,P3p=22,P4p=30,P5p=24,P6p=23,P300p=13,P7p=23,P8p=24,P9p=24,P10p=21,P12p=23,P11p=22,P1000p=0,P14p=26,P13p=23,P16p=20,P15p=20,P18p=20,P17p=23} pWaitTime=" | rex max_match=3 "(?<Par>P[1-9][0-9]*)"

Output is exactly 3 values in Par.

Par	_raw
P302 P1 P301	[SearchBroker - XXX] - [submitSearch] INFO: XXX [] - submitSearch time=36 pTime={P302=11,P1=7,P301=13,P2=24,P3=23,P4=31,P5=25,P6=23,P300=13,P7=23,P8=24,P9=24,P10=21,P12=24,P11=23,P1000=1,P14=26,P13=24,P16=21,P15=20,P18=20,P17=23} pProcessTime={P302p=10,P1p=6,P301p=12,P2p=23,P3p=22,P4p=30,P5p=24,P6p=23,P300p=13,P7p=23,P8p=24,P9p=24,P10p=21,P12p=23,P11p=22,P1000p=0,P14p=26,P13p=23,P16p=20,P15p=20,P18p=20,P17p=23} pWaitTime=	2022-09-08 20:42:37

Maybe you need all of them? Then max_match=0.

Re: Capturing Multiple values in single group via regex

ITWhisperer — Fri, 09 Sep 2022 05:31:35 GMT

The ellipsis (...) were to indicate the rest of your command - try it like this

| rex max_match=3 "(?<Par>P[1-9][0-9]*)"

Re: Capturing Multiple values in single group via regex

abhishekbhasin — Fri, 09 Sep 2022 11:45:53 GMT

Thanks!. It works