Regexing multiple values

WestlyB · ‎03-22-2016

Hello everyone,

I've been banging my head on this one. I'm sure it involves 'rex' which I'm not so familiar with.

I have the following search
search | regex _raw="|MAX TCP Connections||MAX UDP Connections|" | table _raw

Of course this spits out the entire _raw event. I'd like search for all events that match event with either MAX TCP Connection or MAX UDP Connection and send those to a field and when I use table, I see either MAX TCP Connections or MAX UDP Connections in the field. No event will have both. I really hope that makes sense. Any help would be great.

somesoni2 · ‎03-23-2016

Please provide some sample data and expected final output.

the_wolverine · ‎03-22-2016

"MAX TCP Connections" OR "MAX UDP Connections" | rex "(?<value>(MAX TCP Connections|MAX UDP Connections)" | stats count by value

WestlyB · ‎03-22-2016

Thanks for the reply! but this didn't work for me. 😞

the_wolverine · ‎03-23-2016

The match is case sensitive so edit as needed to exact match the string you are looking for.

MuS · ‎03-23-2016

Maybe add a max_match=0 to the regex or to make it case insensitive add (?i) to the regex like this rex "(?<value>(?i)(MAX TCP Connections|MAX UDP Connections)" and remember - this is un-tested since I have no Splunk instance handy right now 😉

Regexing multiple values

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms