Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Extract both single-value and multivalue fields using rex

jhuxley
Engager
‎08-09-2017 09:43 AM

I seem to be unable to comment on the similar questions, but as they haven't answered my question, here I go.

With the event

node=hostname a0=first a1=second a2=third a3=fourth

using rex

rex max_match=0 field=_raw "node=(?<node>[^\s]+) a0=(?<cmd>[^\s+]+) a[1-9]=(?<args>[^\s]+)"

returns node, cmd and only 1 args

but

rex max_match=0 field=_raw "a[1-9]=(?<args>[^\s]+)"

returns all the args

Is there are way to achieve the former with args as a multivalue field?

0 Karma
Reply

jhuxley
Engager
‎08-11-2017 01:41 AM

thanks @somesoni2 you put me on the right track,

I changed my regex to extract all the a1-a99 paramters into a single field (args) and then ran a 2nd rex against that to extract them parameters into a multivalues field

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎08-11-2017 06:38 AM

If your problem is resolved, please accept an answer to help future readers.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

maciep
Champion
‎08-09-2017 12:47 PM

I think it's a regex thing, not a splunk thing. This is when regex starts to hurt my head but the following seems to work...just took a little playing around on regex101.

node=(?<node>[^\s]+) a0=(?<cmd>[^\s+]+)|\sa[1-9]=(?<args>\S+)

Ultimately, if you want regex to match multiples, each one would need to match what leads up to it. So I think this is telling regex that the node/a1 stuff can be there (a1) or even just space (a2-xxx). That's my understanding, but could also be making it up.

0 Karma
Reply

somesoni2
Revered Legend
‎08-09-2017 11:55 AM

Split into two rex statement, one for single value extraction and one for multivalued.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...