Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

how to get many values for a particular field (ex) product_id..

dilstn
Explorer
‎03-18-2013 12:31 AM

If I use the regex for extracting product_id from this log it picks only one value of product_id
this is the regex i use "(?i)\"product_id\"=>\"(?P[^\"]+)"
but it gives value for product_id is "Bookflix - Latin America Bilingual "
but i cant get other product_id values from this single log ..........can u guide me....

Log 23/11/7 :: info parameter [{"product_id"=>"Bookflix - Latin America Bilingual ", "subscription_start"=>"November 22, 2012", "subscription_end"=>"April 11, 2013", "intl_order_type_code"=>"Trial "}, {"product_id"=>"TrueFlix - Latin America ", "subscription_start"=>"November 22, 2012", "subscription_end"=>"April 11, 2013", "intl_order_type_code"=>"Trial "}, {"product_id"=>"The Graph Club ", "subscription_start"=>"November 22, 2012", "subscription_end"=>"April 11, 2013", "intl_order_type_code"=>"Trial "}, {"product_id"=>"Neighborhood Map Machine ", "subscription_start"=>"November 22, 2012", "subscription_end"=>"April 11, 2013", "intl_order_type_code"=>"Trial "}, {"product_id"=>"Timeliner ", "subscription_start"=>"November 22, 2012", "subscription_end"=>"April 11, 2013", "intl_order_type_code"=>"Trial "}

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Ayn
Legend
‎03-18-2013 01:07 AM

http://docs.splunk.com/Documentation/Splunk/5.0.2/SearchReference/Rex

max_match
    Syntax: max_match=<int> 
    Description: Controls the number of times the regex is matched. If greater than 1, the resulting fields will be multivalued fields. Defaults to 1, use 0 to mean unlimited.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

dilstn
Explorer
‎03-18-2013 02:30 AM

Sorry guys it works ....i made mistake to provide value in max_match=10 ..........Thanks for ur help

0 Karma
Reply
Solved! Jump to solution

dilstn
Explorer
‎03-18-2013 02:24 AM

rex "(?i)\"product_id\"=>\"(?P[^\"]+)"max_match=0
This is not working... please give me an example for this to work properly... thanks in advance..plzzzzzzz

0 Karma
Reply
Solved! Jump to solution
Solution

Ayn
Legend
‎03-18-2013 01:07 AM

http://docs.splunk.com/Documentation/Splunk/5.0.2/SearchReference/Rex

max_match
    Syntax: max_match=<int> 
    Description: Controls the number of times the regex is matched. If greater than 1, the resulting fields will be multivalued fields. Defaults to 1, use 0 to mean unlimited.
0 Karma
Reply
Solved! Jump to solution

Ayn
Legend
‎03-18-2013 02:33 AM

No problem. Could you please mark my answer as accepted (click the tick mark beside it)? Thanks!

0 Karma
Reply
Solved! Jump to solution

dilstn
Explorer
‎03-18-2013 02:31 AM

Sorry yaar , it works ,, I made a mistake that by not providing value to max_match=10...thanks for ur kind help....

0 Karma
Reply
Solved! Jump to solution

Ayn
Legend
‎03-18-2013 02:25 AM

Which Splunk version? What are the current results?

0 Karma
Reply
Solved! Jump to solution

dilstn
Explorer
‎03-18-2013 02:23 AM

rex "(?i)\"product_id\"=>\"(?P[^\"]+)" max_match=0

This is not working ....please give me an example for this to work properly ....thanks in advance ....plzzzzz.

0 Karma
Reply
Solved! Jump to solution

dilstn
Explorer
‎03-18-2013 12:58 AM

only through rex i want to extract it

0 Karma
Reply
Solved! Jump to solution

Ayn
Legend
‎03-18-2013 12:45 AM

How are you extracting it? rex, entry in props.conf? The default behaviour is to only extract one value but that can easily be changed.

0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  &#x1f680; Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...