topic Re: RegEx extract multiple values per field in Splunk Search

RegEx extract multiple values per field

splunkbeginner2 — Mon, 21 Jul 2014 22:22:01 GMT

Hello,
I am right now trying to reed Lotus Notes (to be coorect: Domincos console.log-file) Events. One of my problems I have, is the following:
(its not connected to Notes especially, but people should know, that at least someone tried it.)

Sometime I have an ID, but it can occur once, or comma separated twice. What can I do to get this value into two values for one field (I am using the search-time extraction).
e.g.
...[%Timestamp%] Message ABC123 delivered....
...[%Timestamp%] Message ABC129,ABC130 delivered....

My current RegEx extraction for the field is:
... (?P[\dA-Z]+) ...//some other fields exist before and afterwards

but how can I make it detect things twice.. ?

Thanks for your support!

Regards,
Xantor!

Re: RegEx extract multiple values per field

Suda — Tue, 22 Jul 2014 00:26:59 GMT

Hello,

I think you may have several solutions. I'd like to explain my idea.

I will change regex configuration.

... (?P<messageid>[0-9A-Z,]+) ...

And I will add the following search commands after your search command.

<your search> | makemv delim="," messageid

The field "messageid" will be multiple value field if it has 2 and more contents.

And if you add "| mvexpand messageid", you will get 2 events; ABC129, ABC130.

I hope it helps you.

Thank you.

Re: RegEx extract multiple values per field

splunkbeginner2 — Tue, 22 Jul 2014 00:37:17 GMT

Hey, that sounds interesting. I'll give it a try. mvexpand does only split the event into two, as soon as I search for it, correct?