If I use the regex for extracting product_id from this log it picks only one value of product_id
this is the regex i use "(?i)\"product_id\"=>\"(?P
but it gives value for product_id is "Bookflix - Latin America Bilingual "
but i cant get other product_id values from this single log ..........can u guide me....
Log 23/11/7 :: info parameter [{"product_id"=>"Bookflix - Latin America Bilingual ", "subscription_start"=>"November 22, 2012", "subscription_end"=>"April 11, 2013", "intl_order_type_code"=>"Trial "}, {"product_id"=>"TrueFlix - Latin America ", "subscription_start"=>"November 22, 2012", "subscription_end"=>"April 11, 2013", "intl_order_type_code"=>"Trial "}, {"product_id"=>"The Graph Club ", "subscription_start"=>"November 22, 2012", "subscription_end"=>"April 11, 2013", "intl_order_type_code"=>"Trial "}, {"product_id"=>"Neighborhood Map Machine ", "subscription_start"=>"November 22, 2012", "subscription_end"=>"April 11, 2013", "intl_order_type_code"=>"Trial "}, {"product_id"=>"Timeliner ", "subscription_start"=>"November 22, 2012", "subscription_end"=>"April 11, 2013", "intl_order_type_code"=>"Trial "}
http://docs.splunk.com/Documentation/Splunk/5.0.2/SearchReference/Rex
max_match
Syntax: max_match=<int>
Description: Controls the number of times the regex is matched. If greater than 1, the resulting fields will be multivalued fields. Defaults to 1, use 0 to mean unlimited.
Sorry guys it works ....i made mistake to provide value in max_match=10 ..........Thanks for ur help
rex "(?i)\"product_id\"=>\"(?P
This is not working... please give me an example for this to work properly... thanks in advance..plzzzzzzz
http://docs.splunk.com/Documentation/Splunk/5.0.2/SearchReference/Rex
max_match
Syntax: max_match=<int>
Description: Controls the number of times the regex is matched. If greater than 1, the resulting fields will be multivalued fields. Defaults to 1, use 0 to mean unlimited.
No problem. Could you please mark my answer as accepted (click the tick mark beside it)? Thanks!
Sorry yaar , it works ,, I made a mistake that by not providing value to max_match=10...thanks for ur kind help....
Which Splunk version? What are the current results?
rex "(?i)\"product_id\"=>\"(?P
This is not working ....please give me an example for this to work properly ....thanks in advance ....plzzzzz.
only through rex i want to extract it
How are you extracting it? rex, entry in props.conf? The default behaviour is to only extract one value but that can easily be changed.