topic Re: How to build a regular expression that will capture multiple numbers in a field? in Splunk Search

How to build a regular expression that will capture multiple numbers in a field?

shivarpith — Wed, 07 Dec 2016 15:42:48 GMT

my log looks like below and i wanted to know if i could make a single regular expression to extract all xxx-xxx numbers

The following messages were logged on 12/07/16 at 07:52:10.

0420-094: blah blah blah destination.
0423-245: blah blah blah  changed.
0420-098: blah blah blah  job.
0424-138: blah blah blah.

so if Regex is Number then i would like to see

number

or to better understand if i do a stats count by number

number         |     Count
0420-094       |       1
0423-245       |       1
0420-098       |       1
0424-138       |       1

i know i can do multiple regex's for each one and then coalesce to merge them all, but if there's a better way then why not 🙂

Re: How to build a regular expression that will capture multiple numbers in a field?

rjthibod — Wed, 07 Dec 2016 16:43:43 GMT

How about this?

your search ... | rex "(?<number>[^:]*)" | stats count as Count by number

Re: How to build a regular expression that will capture multiple numbers in a field?

shivarpith — Thu, 08 Dec 2016 13:03:02 GMT

Thank you for the response but the regex above will still pick the 1st number that came up in the log, i have a scenario where an event has 2-6 numbers like below but not limited to.
0420-094
0423-245
0420-098
0424-138

i want regex to parse all the values that match the regex, i was looking at MV_ADD option but not sure if that would work.

\n(?.*):

Re: How to build a regular expression that will capture multiple numbers in a field?

rjthibod — Thu, 08 Dec 2016 18:09:50 GMT

Sorry, I interpreted your original post to be different log messages.

Is your sourcetype already correctly differentiating your multiline log events? If not, that needs be cleaned up first.

Re: How to build a regular expression that will capture multiple numbers in a field?

rjthibod — Thu, 08 Dec 2016 18:20:44 GMT

If you are doing this at search time, then you would probably want the following in transforms.conf (you would reference the following transform in props.conf as well).

[MVNumber]
REGEX  = (\d+-\d+):
FORMAT = Number::$1
MV_ADD = true

And you would want to add the following to fields.conf

[Number]
TOKENIZER = (\d+-\d+):
INDEXED = false
INDEXED_VALUE = true

Re: How to build a regular expression that will capture multiple numbers in a field?

shivarpith — Thu, 08 Dec 2016 21:35:24 GMT

thank you, i will try it out and post the update. thanks a lot