Solved: Regex field extracting more than one field with sa...

erikwie · ‎02-08-2021

I got to extract some fields of a JSON log.
Log buildup eksample:
{"name":"cookie","Value":"Foo"}
{"name":"cookie","Value":"Bar"}
{"name":"cookie","Value":"Foobar"}

The problem is that I got several loglines that all is called "cookie" but have different values, and I need to extract a mulitvalue field "cookie" with all the different values as a multivalue field.
But not every logentry is like this, some is just one "cookie" entry.

This is the regex string I'v used, but then the value of the "cookie" field only contains the first cookie record from the log.
| rex field=_raw "\Sname\S{3}cookie\S{3}\w{5}\S{3}(?<h2_cookie>[\w\=\-\+\.\&\;\s]*)"

ITWhisperer · ‎02-08-2021

| rex field=_raw max_match=0 "\Sname\S{3}cookie\S{3}\w{5}\S{3}(?<h2_cookie>[\w\=\-\+\.\&\;\s]*)"

View solution in original post

ITWhisperer · ‎02-08-2021

| rex field=_raw max_match=0 "\Sname\S{3}cookie\S{3}\w{5}\S{3}(?<h2_cookie>[\w\=\-\+\.\&\;\s]*)"

erikwie · ‎02-08-2021

Thank you,
max_match did it.

Regex field extracting more than one field with same name and different value

field extraction

JSON

Observability Unlocked: Kubernetes Monitoring with Splunk Observability Cloud

Wrapping Up Cybersecurity Awareness Month

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

Are you a member of the Splunk Community?