topic How do I edit my regular expression for rex to extract all expected fields and values from my sample multiline event? in Splunk Search https://community.splunk.com/t5/Splunk-Search/How-do-I-edit-my-regular-expression-for-rex-to-extract-all/m-p/274834#M82906 <P>Here is the logged event:</P> <PRE><CODE>SepsisGraphBuilderImpl: 11252495 MS VitalsGraphBuilderImpl: 2257 MS Mic2GraphBuilder: 358360 MS RasGraphBuilderImpl: 201 MS PatientInfoGraphBuilder: 1992 MS InterventionEventGraphBuilderImpl: 372 MS ObservationInfoGraphBuilder: 42472 MS DrugOrderGraphBuilder: 31849 MS SurgeryAndRadiologyGraphBuilder: 232 MS </CODE></PRE> <P>I am wanting to grab each graphbuilder and the time in MS. I thought this search would work, but I am only getting Mic2GraphBuilder:</P> <PRE><CODE>host=s*gs* *GraphBuilder* | rex field=_raw "(?&lt;object&gt;\w+GraphBuilder*): (?&lt;totalms&gt;\d+) MS" | table object, totalms </CODE></PRE> Tue, 08 Dec 2015 17:28:56 GMT pkudrle 2015-12-08T17:28:56Z How do I edit my regular expression for rex to extract all expected fields and values from my sample multiline event? https://community.splunk.com/t5/Splunk-Search/How-do-I-edit-my-regular-expression-for-rex-to-extract-all/m-p/274834#M82906 <P>Here is the logged event:</P> <PRE><CODE>SepsisGraphBuilderImpl: 11252495 MS VitalsGraphBuilderImpl: 2257 MS Mic2GraphBuilder: 358360 MS RasGraphBuilderImpl: 201 MS PatientInfoGraphBuilder: 1992 MS InterventionEventGraphBuilderImpl: 372 MS ObservationInfoGraphBuilder: 42472 MS DrugOrderGraphBuilder: 31849 MS SurgeryAndRadiologyGraphBuilder: 232 MS </CODE></PRE> <P>I am wanting to grab each graphbuilder and the time in MS. I thought this search would work, but I am only getting Mic2GraphBuilder:</P> <PRE><CODE>host=s*gs* *GraphBuilder* | rex field=_raw "(?&lt;object&gt;\w+GraphBuilder*): (?&lt;totalms&gt;\d+) MS" | table object, totalms </CODE></PRE> Tue, 08 Dec 2015 17:28:56 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-edit-my-regular-expression-for-rex-to-extract-all/m-p/274834#M82906 pkudrle 2015-12-08T17:28:56Z Re: How do I edit my regular expression for rex to extract all expected fields and values from my sample multiline event? https://community.splunk.com/t5/Splunk-Search/How-do-I-edit-my-regular-expression-for-rex-to-extract-all/m-p/274835#M82907 <P>Your regex is looking for words that end with "GraphBuilde" and any number of r's on the end. Try this</P> <PRE><CODE>host=s*gs* *GraphBuilder* | rex field=_raw "(?&lt;object&gt;\w+GraphBuilder\w*): (?&lt;totalms&gt;\d+) MS" | table object, totalms </CODE></PRE> <P>If you have one graphbuilder/time pair per event then this will work. If you have multiple pairs per event then you will have to add <CODE>max_match=0</CODE> to the rex command and then process the object and totalms fields as multi-valued fields.</P> Tue, 08 Dec 2015 17:54:13 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-edit-my-regular-expression-for-rex-to-extract-all/m-p/274835#M82907 richgalloway 2015-12-08T17:54:13Z Re: How do I edit my regular expression for rex to extract all expected fields and values from my sample multiline event? https://community.splunk.com/t5/Splunk-Search/How-do-I-edit-my-regular-expression-for-rex-to-extract-all/m-p/274836#M82908 <P>Without a Splunk in front of me, I wonder if it's actually be easier to use <A href="http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/extract">extract</A> with perhaps <A href="http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/untable">untable</A> something like...</P> <PRE><CODE>host=s*gs* *GraphBuilder* | extract kvdelim=":" | untable _time object totalms </CODE></PRE> <P>There may be some eval to clean up but it seems like it'd be easier than fighting regular expressions to make multi valued fields.</P> Wed, 09 Dec 2015 01:20:43 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-edit-my-regular-expression-for-rex-to-extract-all/m-p/274836#M82908 acharlieh 2015-12-09T01:20:43Z Re: How do I edit my regular expression for rex to extract all expected fields and values from my sample multiline event? https://community.splunk.com/t5/Splunk-Search/How-do-I-edit-my-regular-expression-for-rex-to-extract-all/m-p/274837#M82909 <P>how do you then parse the multi-valued fields as pairs?</P> Wed, 09 Dec 2015 14:32:04 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-edit-my-regular-expression-for-rex-to-extract-all/m-p/274837#M82909 pkudrle 2015-12-09T14:32:04Z Re: How do I edit my regular expression for rex to extract all expected fields and values from my sample multiline event? https://community.splunk.com/t5/Splunk-Search/How-do-I-edit-my-regular-expression-for-rex-to-extract-all/m-p/274838#M82910 <P>You combine the two multi-valued fields and then expand them into separate events. Then you process each event as you normally would. Something like this.</P> <PRE><CODE>host=s*gs* *GraphBuilder* | rex field=_raw "(?&lt;object&gt;\w+GraphBuilder\w*): (?&lt;totalms&gt;\d+) MS" | eval pairs=mvzip(object,totalms) | mvexpand pairs | ... </CODE></PRE> Wed, 09 Dec 2015 14:45:11 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-edit-my-regular-expression-for-rex-to-extract-all/m-p/274838#M82910 richgalloway 2015-12-09T14:45:11Z Re: How do I edit my regular expression for rex to extract all expected fields and values from my sample multiline event? https://community.splunk.com/t5/Splunk-Search/How-do-I-edit-my-regular-expression-for-rex-to-extract-all/m-p/274839#M82911 <P>Unfortunately there is some text before and afterwards that interfere</P> Wed, 09 Dec 2015 17:00:23 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-edit-my-regular-expression-for-rex-to-extract-all/m-p/274839#M82911 pkudrle 2015-12-09T17:00:23Z