Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Extract all regex matches as a list in each log

nagulan_s
Loves-to-Learn Everything
‎06-06-2022 11:01 PM

Input:

Message                                                          ID

... tt_1 ... tt_2 ... tt_9 ... tt_3                        1

... tt_6 ... tt_4 ... tt_5                                      2

 

Ouput:

Message                                                          ID     TT

... tt_1 ... tt_2 ... tt_9 ... tt_3                        1       tt_1 tt_2 tt_9 tt_3

... tt_6 ... tt_4 ... tt_5                                      2.     tt_6 tt_4 tt_5

In the above "Message" field the "..." indicates some random text in between. So basically I want to extract all words starting with "tt_" and display it as in the table shown above. Can anyone help be with the splunk query of it.

Labels (2)
Labels
Tags (2)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎06-06-2022 11:37 PM

Hi @nagulan_s,

if you could share some sample of your logs I could be more sure about the regex.

Anyway, supposing that you have to extract values starting with "tt-" and with a number, you could use something like this:

your_search
| rex max_match=0 field=Message "(?<TT>tt_\d+)"
| table Message ID TT

Ciao.

Giuseppe

0 Karma
Reply

nagulan_s
Loves-to-Learn Everything
‎06-06-2022 11:43 PM

I tried something like this but the output is not as expected.

Expected output:

Message                                                          ID     TT

... tt_1 ... tt_2 ... tt_9 ... tt_3                        1       tt_1 tt_2 tt_9 tt_3

 

Output from your suggestion:

Message                                                          ID     TT

... tt_1 ... tt_2 ... tt_9 ... tt_3                        1       tt_1 

... tt_1 ... tt_2 ... tt_9 ... tt_3                        1       tt_2 

... tt_1 ... tt_2 ... tt_9 ... tt_3                        1       tt_9 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎06-06-2022 11:48 PM

Hi @nagulan_s ,

you have to add max_match to your rex command

your_search
| rex max_match=0 field=Message "(?<TT>tt_\d+)"
| table Message ID TT

Ciao.

Giuseppe

0 Karma
Reply

nagulan_s
Loves-to-Learn Everything
‎06-06-2022 11:55 PM

This is what I am using. and the result is like the table in the above reply.

 | rex max_match=0 field=ErrorMessage "Time spent on step (?<stepID>.*) : " | table Messages, UMID, stepID

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎06-07-2022 12:05 AM

Hi @nagulan_s,

could you share a sample of your logs?

So I could be more sure about the regex.

Ciao.

Giuseppe

0 Karma
Reply

nagulan_s
Loves-to-Learn Everything
‎06-07-2022 12:13 AM

Why do you think there maybe a problem in the regex? I am able to extract all the regex matches in each log, but the problem is each match is displayed as a separate row, I want all regex match in a single log in a row itself.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎06-07-2022 02:00 AM

Hi @nagulan_s,

the solution should be 

your_search
| rex max_match=0 field=Message "(?<TT>tt_\d+)"
| table Message ID TT
| nomv TT

at the end of your search, because the nomv command put all the multivalues in one row, but I don't know why it doesn't run in this search!

I'd like to make a test on the original source to see if, maybe, there's some problem in the regex

Ciao.

Giuseppe

0 Karma
Reply

nagulan_s
Loves-to-Learn Everything
‎06-07-2022 12:23 AM

@gcusello 

You can maybe take the example from here https://community.splunk.com/t5/Splunk-Search/How-to-extract-multiple-values-from-a-single-field-if-....

My doubt is exactly the same but in the answer section they didnt use rex, maybe can you give me a solution with rex for the same question

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎06-07-2022 12:34 AM

Hi @nagulan_s,

in that question they used eval becauase values was separated by a char but you displayed a different data, for this reason I asked to share a sample of your logs: I cannot use a regex without it.

using the data you shared I have the result you want

gcusello_0-1654587263750.png

 

If it's a reserved data, you can mask it but don't change the log structure and please a full event.

Ciao.

Giuseppe.

0 Karma
Reply
Get Updates on the Splunk Community!

Now Playing: Splunk Education Summer Learning Premieres

It’s premiere season, and Splunk Education is rolling out new releases you won’t want to miss. Whether you’re ...

The Visibility Gap: Hybrid Networks and IT Services

The most forward thinking enterprises among us see their network as much more than infrastructure – it's their ...

Get Operational Insights Quickly with Natural Language on the Splunk Platform

In today’s fast-paced digital world, turning data into actionable insights is essential for success. With ...
Top