Deduping max-match on a rex.

howyagoin · ‎12-23-2011

I've got some data I'm matching with a rex akin to:

| rex max_match=5 field=_raw "(?<myvalue>\d{4})"

However, if my data looks like this:

name=Bill 1234 rhubarb 1234 5678 colour=green
name=Dana 8273 apple 4428 8312 colour=purple

Then the match is finding 1234 twice and 5678 once for bill, and all three values for Dana.

What I'm after is a table of output that has something like:

name          myvalue
----------------------------
Bill          1234 5678
Dana          8273 4428 8312

Right now I'm getting Bill's entry having 1234 listed twice...

name          myvalue
----------------------------
Bill          1234 1234 5678
Dana          8273 4428 8312

I've found ways of doing this for a single combination of fields by using:

| chart values(myvalue) over name

But that doesn't work if I want to add a third field, such as colour:

name          myvalue          colour
---------------------------------------
Bill          1234 5678        green
Dana          8273 4428 8312   purple

Ideas?

eelisio2 · ‎12-23-2011

I believe this is what you are looking for.

| stats values(myvalue) as MyValues, values(colour) as Colours by name

DalJeanis · ‎03-07-2018

You could also use ...

| eval myvalue=mvdedup(myvalue)

...which will sort the multivalue field into order and dedup the results.

Deduping max-match on a rex.

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

What’s New in Splunk Observability – September 2025

Fun with Regular Expression - multiples of nine

Are you a member of the Splunk Community?

Deduping max-match on a rex.

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

What’s New in Splunk Observability – September 2025

Fun with Regular Expression - multiples of nine