Splunk Search

Extract all regex matches as a list in each log

nagulan_s
Loves-to-Learn Everything

Input:

Message                                                          ID

... tt_1 ... tt_2 ... tt_9 ... tt_3                        1

... tt_6 ... tt_4 ... tt_5                                      2

 

Ouput:

Message                                                          ID     TT

... tt_1 ... tt_2 ... tt_9 ... tt_3                        1       tt_1 tt_2 tt_9 tt_3

... tt_6 ... tt_4 ... tt_5                                      2.     tt_6 tt_4 tt_5

In the above "Message" field the "..." indicates some random text in between. So basically I want to extract all words starting with "tt_" and display it as in the table shown above. Can anyone help be with the splunk query of it.

Labels (2)
Tags (2)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @nagulan_s,

if you could share some sample of your logs I could be more sure about the regex.

Anyway, supposing that you have to extract values starting with "tt-" and with a number, you could use something like this:

your_search
| rex max_match=0 field=Message "(?<TT>tt_\d+)"
| table Message ID TT

Ciao.

Giuseppe

0 Karma

nagulan_s
Loves-to-Learn Everything

I tried something like this but the output is not as expected.

Expected output:

Message                                                          ID     TT

... tt_1 ... tt_2 ... tt_9 ... tt_3                        1       tt_1 tt_2 tt_9 tt_3

 

Output from your suggestion:

Message                                                          ID     TT

... tt_1 ... tt_2 ... tt_9 ... tt_3                        1       tt_1 

... tt_1 ... tt_2 ... tt_9 ... tt_3                        1       tt_2 

... tt_1 ... tt_2 ... tt_9 ... tt_3                        1       tt_9 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @nagulan_s ,

you have to add max_match to your rex command

your_search
| rex max_match=0 field=Message "(?<TT>tt_\d+)"
| table Message ID TT

Ciao.

Giuseppe

0 Karma

nagulan_s
Loves-to-Learn Everything

This is what I am using. and the result is like the table in the above reply.

 | rex max_match=0 field=ErrorMessage "Time spent on step (?<stepID>.*) : " | table Messages, UMID, stepID

 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @nagulan_s,

could you share a sample of your logs?

So I could be more sure about the regex.

Ciao.

Giuseppe

0 Karma

nagulan_s
Loves-to-Learn Everything

Why do you think there maybe a problem in the regex? I am able to extract all the regex matches in each log, but the problem is each match is displayed as a separate row, I want all regex match in a single log in a row itself.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @nagulan_s,

the solution should be 

your_search
| rex max_match=0 field=Message "(?<TT>tt_\d+)"
| table Message ID TT
| nomv TT

at the end of your search, because the nomv command put all the multivalues in one row, but I don't know why it doesn't run in this search!

I'd like to make a test on the original source to see if, maybe, there's some problem in the regex

Ciao.

Giuseppe

0 Karma

nagulan_s
Loves-to-Learn Everything

@gcusello 

You can maybe take the example from here https://community.splunk.com/t5/Splunk-Search/How-to-extract-multiple-values-from-a-single-field-if-....

My doubt is exactly the same but in the answer section they didnt use rex, maybe can you give me a solution with rex for the same question

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @nagulan_s,

in that question they used eval becauase values was separated by a char but you displayed a different data, for this reason I asked to share a sample of your logs: I cannot use a regex without it.

using the data you shared I have the result you want

gcusello_0-1654587263750.png

 

If it's a reserved data, you can mask it but don't change the log structure and please a full event.

Ciao.

Giuseppe.

0 Karma
Get Updates on the Splunk Community!

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Announcing the General Availability of Splunk Enterprise Security 8.1!

We are pleased to announce the general availability of Splunk Enterprise Security 8.1. Splunk becomes the only ...

Developer Spotlight with William Searle

The Splunk Guy: A Developer’s Path from Web to Cloud William is a Splunk Professional Services Consultant with ...