Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Field extraction with multiple matches per lin...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi all,
I'm trying to pull out the MAC addresses from a series of records which is mostly working using the following regex in the field extraction :-
(?i) .*? (?P
The problem I'm finding is that I have two MAC addresses in a number of records and the field extraction is only seeing the first in the record. The examples below show what I mean, only the Bold MAC is being caught.
Jun 15 14:54:26 10.2.196.20 90: Jun 15 13:55:00.703 UTC: %DOT11-6-ROAMED: Station 0013.e8f5.f15d Roamed to 001e.4ae0.3f50
Jun 15 14:34:55 10.2.196.26 32: 000030: Jun 15 13:35:29.536 UTC: %DOT11-6-ROAMED: Station 2477.0338.1c64 Roamed to 001e.4ae0.3dc0
Jun 15 14:33:34 10.2.196.36 4689: 012274: Jun 15 13:34:08.300 UTC: %DOT11-6-ROAMED: Station 5894.6b3e.f98c Roamed to 001e.7a17.c670
Jun 15 14:33:32 10.2.196.36 4686: 012271: Jun 15 13:34:06.734 UTC: %DOT11-6-ROAMED: Station 8853.2ec4.b913 Roamed to 001e.7a17.bb90
Jun 15 14:33:05 10.2.196.32 125: 000123: Jun 15 13:33:39.710 UTC: %DOT11-6-ROAMED: Station 2477.0317.10b0 Roamed to 001e.4ade.ed50
Is there a way to catch multiple occurrences on the same line?
Thanks,
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Certainly. By default Splunk will only match once per event and "discard" other matches it finds. This is defined by the MV_ADD parameter in transforms.conf, which is false by default.
MV_ADD = [true|false]
* NOTE: This attribute is only valid for search-time field extractions.
* Optional. Controls what the extractor does when it finds a field which already exists.
* If set to true, the extractor makes the field a multivalued field and appends the
* newly found value, otherwise the newly found value is discarded.
* Defaults to false
This is if you've setup a REPORT directive in props.conf. If you haven't, but used an EXTRACT directive instead, you will need to convert it to a REPORT and create the corresponding transform in transforms.conf.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi I also had a same question.
http://splunk-base.splunk.com/answers/53883/how-to-configure-mv_add-in-the-search-language
and I came up with this search...
"some saerch to filter" | rex field=string max_match=10000 "(?<chars>...)" | chart count by string chars
This will get any 3 chars in a field called string.
I hope this also good for you.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Certainly. By default Splunk will only match once per event and "discard" other matches it finds. This is defined by the MV_ADD parameter in transforms.conf, which is false by default.
MV_ADD = [true|false]
* NOTE: This attribute is only valid for search-time field extractions.
* Optional. Controls what the extractor does when it finds a field which already exists.
* If set to true, the extractor makes the field a multivalued field and appends the
* newly found value, otherwise the newly found value is discarded.
* Defaults to false
This is if you've setup a REPORT directive in props.conf. If you haven't, but used an EXTRACT directive instead, you will need to convert it to a REPORT and create the corresponding transform in transforms.conf.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks worked for me!
Splunkbase Unveils New App Listing Management Public Preview
Leveraging Automated Threat Analysis Across the Splunk Ecosystem
Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain
