Solved: Regex field extracting more than one field with sa...

erikwie · ‎02-08-2021

I got to extract some fields of a JSON log.
Log buildup eksample:
{"name":"cookie","Value":"Foo"}
{"name":"cookie","Value":"Bar"}
{"name":"cookie","Value":"Foobar"}

The problem is that I got several loglines that all is called "cookie" but have different values, and I need to extract a mulitvalue field "cookie" with all the different values as a multivalue field.
But not every logentry is like this, some is just one "cookie" entry.

This is the regex string I'v used, but then the value of the "cookie" field only contains the first cookie record from the log.
| rex field=_raw "\Sname\S{3}cookie\S{3}\w{5}\S{3}(?<h2_cookie>[\w\=\-\+\.\&\;\s]*)"

ITWhisperer · ‎02-08-2021

| rex field=_raw max_match=0 "\Sname\S{3}cookie\S{3}\w{5}\S{3}(?<h2_cookie>[\w\=\-\+\.\&\;\s]*)"

View solution in original post

ITWhisperer · ‎02-08-2021

| rex field=_raw max_match=0 "\Sname\S{3}cookie\S{3}\w{5}\S{3}(?<h2_cookie>[\w\=\-\+\.\&\;\s]*)"

erikwie · ‎02-08-2021

Thank you,
max_match did it.

Regex field extracting more than one field with same name and different value

field extraction

JSON

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation