Solved: Re: Index time extraction multiple regex match

GaetanVP · ‎09-19-2023

Hello Splunkers,

I have a index-time field extraction question, here is my raw log :
wheel:x:10:user1,user2,user3

I would like to use props.conf and transforms.conf to extract the users

props.conf :

[mysourcetype]
LINE_BREAKER = ([\r\n]+)
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
TRANSFORMS-users = get-users

transforms.conf :

[get-users]
REGEX = (\d:|,)(?<user>\w+)
FORMAT = users::$1

With my current config, I will only be able to extract the first match of my regex who is here the user1.
How could I extract and store each user value ?

Thanks for your time,
GaetanVP

richgalloway · ‎09-19-2023

Index-time extractions don't have an equivalent to the max_match option of the rex command. Consider extracting all users together and then extracting them at search time.

[get-users]
REGEX = (\d:)(?<user>.+)
FORMAT = users::$1

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎09-19-2023

Index-time extractions don't have an equivalent to the max_match option of the rex command. Consider extracting all users together and then extracting them at search time.

[get-users]
REGEX = (\d:)(?<user>.+)
FORMAT = users::$1

---
If this reply helps you, Karma would be appreciated.

GaetanVP · ‎09-21-2023

Hello @richgalloway,

Thanks for the information, I will try to do that !

Regards,
GaetanVP

How to extract Index time in multiple regex match?

using Splunk Enterprise

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases