Getting Data In

how to get many values for a particular field (ex) product_id..

dilstn
Explorer

If I use the regex for extracting product_id from this log it picks only one value of product_id
this is the regex i use "(?i)\"product_id\"=>\"(?P[^\"]+)"
but it gives value for product_id is "Bookflix - Latin America Bilingual "
but i cant get other product_id values from this single log ..........can u guide me....

Log 23/11/7 :: info parameter [{"product_id"=>"Bookflix - Latin America Bilingual ", "subscription_start"=>"November 22, 2012", "subscription_end"=>"April 11, 2013", "intl_order_type_code"=>"Trial "}, {"product_id"=>"TrueFlix - Latin America ", "subscription_start"=>"November 22, 2012", "subscription_end"=>"April 11, 2013", "intl_order_type_code"=>"Trial "}, {"product_id"=>"The Graph Club ", "subscription_start"=>"November 22, 2012", "subscription_end"=>"April 11, 2013", "intl_order_type_code"=>"Trial "}, {"product_id"=>"Neighborhood Map Machine ", "subscription_start"=>"November 22, 2012", "subscription_end"=>"April 11, 2013", "intl_order_type_code"=>"Trial "}, {"product_id"=>"Timeliner ", "subscription_start"=>"November 22, 2012", "subscription_end"=>"April 11, 2013", "intl_order_type_code"=>"Trial "}

Tags (1)
0 Karma
1 Solution

Ayn
Legend

http://docs.splunk.com/Documentation/Splunk/5.0.2/SearchReference/Rex

max_match
    Syntax: max_match=<int> 
    Description: Controls the number of times the regex is matched. If greater than 1, the resulting fields will be multivalued fields. Defaults to 1, use 0 to mean unlimited. 

View solution in original post

0 Karma

dilstn
Explorer

Sorry guys it works ....i made mistake to provide value in max_match=10 ..........Thanks for ur help

0 Karma

dilstn
Explorer

rex "(?i)\"product_id\"=>\"(?P[^\"]+)"max_match=0
This is not working... please give me an example for this to work properly... thanks in advance..plzzzzzzz

0 Karma

Ayn
Legend

http://docs.splunk.com/Documentation/Splunk/5.0.2/SearchReference/Rex

max_match
    Syntax: max_match=<int> 
    Description: Controls the number of times the regex is matched. If greater than 1, the resulting fields will be multivalued fields. Defaults to 1, use 0 to mean unlimited. 
0 Karma

Ayn
Legend

No problem. Could you please mark my answer as accepted (click the tick mark beside it)? Thanks!

0 Karma

dilstn
Explorer

Sorry yaar , it works ,, I made a mistake that by not providing value to max_match=10...thanks for ur kind help....

0 Karma

Ayn
Legend

Which Splunk version? What are the current results?

0 Karma

dilstn
Explorer

rex "(?i)\"product_id\"=>\"(?P[^\"]+)" max_match=0

This is not working ....please give me an example for this to work properly ....thanks in advance ....plzzzzz.

0 Karma

dilstn
Explorer

only through rex i want to extract it

0 Karma

Ayn
Legend

How are you extracting it? rex, entry in props.conf? The default behaviour is to only extract one value but that can easily be changed.

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...