Solved: Re: Field extraction with multiple matches per lin...

martinpugh · ‎06-15-2012

Hi all,

I'm trying to pull out the MAC addresses from a series of records which is mostly working using the following regex in the field extraction :-

(?i) .*? (?P[a-fA-F0-9]+.[a-fA-F0-9]+.[a-fA-F0-9]+)(?= )

The problem I'm finding is that I have two MAC addresses in a number of records and the field extraction is only seeing the first in the record. The examples below show what I mean, only the Bold MAC is being caught.

Jun 15 14:54:26 10.2.196.20 90: Jun 15 13:55:00.703 UTC: %DOT11-6-ROAMED: Station 0013.e8f5.f15d Roamed to 001e.4ae0.3f50

Jun 15 14:34:55 10.2.196.26 32: 000030: Jun 15 13:35:29.536 UTC: %DOT11-6-ROAMED: Station 2477.0338.1c64 Roamed to 001e.4ae0.3dc0

Jun 15 14:33:34 10.2.196.36 4689: 012274: Jun 15 13:34:08.300 UTC: %DOT11-6-ROAMED: Station 5894.6b3e.f98c Roamed to 001e.7a17.c670

Jun 15 14:33:32 10.2.196.36 4686: 012271: Jun 15 13:34:06.734 UTC: %DOT11-6-ROAMED: Station 8853.2ec4.b913 Roamed to 001e.7a17.bb90

Jun 15 14:33:05 10.2.196.32 125: 000123: Jun 15 13:33:39.710 UTC: %DOT11-6-ROAMED: Station 2477.0317.10b0 Roamed to 001e.4ade.ed50

Is there a way to catch multiple occurrences on the same line?

Thanks,

Ayn · ‎06-15-2012

Certainly. By default Splunk will only match once per event and "discard" other matches it finds. This is defined by the MV_ADD parameter in transforms.conf, which is false by default.

MV_ADD = [true|false]
* NOTE: This attribute is only valid for search-time field extractions.
* Optional. Controls what the extractor does when it finds a field which already exists.
* If set to true, the extractor makes the field a multivalued field and appends the 
* newly found value, otherwise the newly found value is discarded.
* Defaults to false

This is if you've setup a REPORT directive in props.conf. If you haven't, but used an EXTRACT directive instead, you will need to convert it to a REPORT and create the corresponding transform in transforms.conf.

View solution in original post

melonman · ‎08-09-2012

Hi I also had a same question.

http://splunk-base.splunk.com/answers/53883/how-to-configure-mv_add-in-the-search-language

and I came up with this search...

"some saerch to filter" | rex field=string max_match=10000 "(?<chars>...)" | chart count by string chars

This will get any 3 chars in a field called string.

I hope this also good for you.

Ayn · ‎06-15-2012

Certainly. By default Splunk will only match once per event and "discard" other matches it finds. This is defined by the MV_ADD parameter in transforms.conf, which is false by default.

MV_ADD = [true|false]
* NOTE: This attribute is only valid for search-time field extractions.
* Optional. Controls what the extractor does when it finds a field which already exists.
* If set to true, the extractor makes the field a multivalued field and appends the 
* newly found value, otherwise the newly found value is discarded.
* Defaults to false

This is if you've setup a REPORT directive in props.conf. If you haven't, but used an EXTRACT directive instead, you will need to convert it to a REPORT and create the corresponding transform in transforms.conf.

becksyboy · ‎07-23-2021

Thanks worked for me!

Field extraction with multiple matches per line

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

May 2026 Splunk Expert Sessions: Security & Observability

Network to App: Observability Unlocked [May & June Series]

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Join the Conversation