Splunk Enterprise

How to extract Index time in multiple regex match?

GaetanVP
Contributor

Hello Splunkers,

I have a index-time field extraction question, here is my raw log :
wheel:x:10:user1,user2,user3

I would like to use props.conf and transforms.conf to extract the users

props.conf :

 

 

[mysourcetype]
LINE_BREAKER = ([\r\n]+)
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
TRANSFORMS-users = get-users

 

 

transforms.conf :

 

 

[get-users]
REGEX = (\d:|,)(?<user>\w+)
FORMAT = users::$1

 

 

With my current config, I will only be able to extract the first match of my regex who is here the user1.
How could I extract and store each user value ?

Thanks for your time,
GaetanVP

Labels (1)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

Index-time extractions don't have an equivalent to the max_match option of the rex command.  Consider extracting all users together and then extracting them at search time.

[get-users]
REGEX = (\d:)(?<user>.+)
FORMAT = users::$1

 

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

Index-time extractions don't have an equivalent to the max_match option of the rex command.  Consider extracting all users together and then extracting them at search time.

[get-users]
REGEX = (\d:)(?<user>.+)
FORMAT = users::$1

 

---
If this reply helps you, Karma would be appreciated.

GaetanVP
Contributor

Hello @richgalloway

Thanks for the information, I will try to do that !

Regards,
GaetanVP

Get Updates on the Splunk Community!

Pro Tips for First-Time .conf Attendees: Advice from SplunkTrust

Heading to your first .Conf? You’re in for an unforgettable ride — learning, networking, swag collecting, ...

Raise Your Skills at the .conf25 Builder Bar: Your Splunk Developer Destination

Calling all Splunk developers, custom SPL builders, dashboarders, and Splunkbase app creators – the Builder ...

Hunt Smarter, Not Harder: Discover New SPL “Recipes” in Our Threat Hunting Webinar

Are you ready to take your threat hunting skills to the next level? As Splunk community members, you know the ...