Solved: Regex field extracting more than one field with sa...

erikwie · ‎02-08-2021

I got to extract some fields of a JSON log.
Log buildup eksample:
{"name":"cookie","Value":"Foo"}
{"name":"cookie","Value":"Bar"}
{"name":"cookie","Value":"Foobar"}

The problem is that I got several loglines that all is called "cookie" but have different values, and I need to extract a mulitvalue field "cookie" with all the different values as a multivalue field.
But not every logentry is like this, some is just one "cookie" entry.

This is the regex string I'v used, but then the value of the "cookie" field only contains the first cookie record from the log.
| rex field=_raw "\Sname\S{3}cookie\S{3}\w{5}\S{3}(?<h2_cookie>[\w\=\-\+\.\&\;\s]*)"

ITWhisperer · ‎02-08-2021

| rex field=_raw max_match=0 "\Sname\S{3}cookie\S{3}\w{5}\S{3}(?<h2_cookie>[\w\=\-\+\.\&\;\s]*)"

View solution in original post

ITWhisperer · ‎02-08-2021

| rex field=_raw max_match=0 "\Sname\S{3}cookie\S{3}\w{5}\S{3}(?<h2_cookie>[\w\=\-\+\.\&\;\s]*)"

erikwie · ‎02-08-2021

Thank you,
max_match did it.

Regex field extracting more than one field with same name and different value

field extraction

JSON

App Platform's 2025 Year in Review: A Year of Innovation, Growth, and Community

Operationalizing Entity Risk Score with Enterprise Security 8.3+

Unlock Database Monitoring with Splunk Observability Cloud

Join the Conversation