Solved: Regex field extracting more than one field with sa...

erikwie · ‎02-08-2021

I got to extract some fields of a JSON log.
Log buildup eksample:
{"name":"cookie","Value":"Foo"}
{"name":"cookie","Value":"Bar"}
{"name":"cookie","Value":"Foobar"}

The problem is that I got several loglines that all is called "cookie" but have different values, and I need to extract a mulitvalue field "cookie" with all the different values as a multivalue field.
But not every logentry is like this, some is just one "cookie" entry.

This is the regex string I'v used, but then the value of the "cookie" field only contains the first cookie record from the log.
| rex field=_raw "\Sname\S{3}cookie\S{3}\w{5}\S{3}(?<h2_cookie>[\w\=\-\+\.\&\;\s]*)"

ITWhisperer · ‎02-08-2021

| rex field=_raw max_match=0 "\Sname\S{3}cookie\S{3}\w{5}\S{3}(?<h2_cookie>[\w\=\-\+\.\&\;\s]*)"

View solution in original post

ITWhisperer · ‎02-08-2021

| rex field=_raw max_match=0 "\Sname\S{3}cookie\S{3}\w{5}\S{3}(?<h2_cookie>[\w\=\-\+\.\&\;\s]*)"

erikwie · ‎02-08-2021

Thank you,
max_match did it.

Regex field extracting more than one field with same name and different value

field extraction

JSON

AppDynamics Summer Webinars

SOCin’ it to you at Splunk University

Credit Card Data Protection & PCI Compliance with Splunk Edge Processor

Are you a member of the Splunk Community?