Splunk Search

Field extraction with multiple matches per line

Explorer

Hi all,

I'm trying to pull out the MAC addresses from a series of records which is mostly working using the following regex in the field extraction :-

(?i) .*? (?P[a-fA-F0-9]+.[a-fA-F0-9]+.[a-fA-F0-9]+)(?= )

The problem I'm finding is that I have two MAC addresses in a number of records and the field extraction is only seeing the first in the record. The examples below show what I mean, only the Bold MAC is being caught.

Jun 15 14:54:26 10.2.196.20 90: Jun 15 13:55:00.703 UTC: %DOT11-6-ROAMED: Station 0013.e8f5.f15d Roamed to 001e.4ae0.3f50

Jun 15 14:34:55 10.2.196.26 32: 000030: Jun 15 13:35:29.536 UTC: %DOT11-6-ROAMED: Station 2477.0338.1c64 Roamed to 001e.4ae0.3dc0

Jun 15 14:33:34 10.2.196.36 4689: 012274: Jun 15 13:34:08.300 UTC: %DOT11-6-ROAMED: Station 5894.6b3e.f98c Roamed to 001e.7a17.c670

Jun 15 14:33:32 10.2.196.36 4686: 012271: Jun 15 13:34:06.734 UTC: %DOT11-6-ROAMED: Station 8853.2ec4.b913 Roamed to 001e.7a17.bb90

Jun 15 14:33:05 10.2.196.32 125: 000123: Jun 15 13:33:39.710 UTC: %DOT11-6-ROAMED: Station 2477.0317.10b0 Roamed to 001e.4ade.ed50

Is there a way to catch multiple occurrences on the same line?

Thanks,

0 Karma
1 Solution

Legend

Certainly. By default Splunk will only match once per event and "discard" other matches it finds. This is defined by the MV_ADD parameter in transforms.conf, which is false by default.

MV_ADD = [true|false]
* NOTE: This attribute is only valid for search-time field extractions.
* Optional. Controls what the extractor does when it finds a field which already exists.
* If set to true, the extractor makes the field a multivalued field and appends the 
* newly found value, otherwise the newly found value is discarded.
* Defaults to false

This is if you've setup a REPORT directive in props.conf. If you haven't, but used an EXTRACT directive instead, you will need to convert it to a REPORT and create the corresponding transform in transforms.conf.

View solution in original post

Motivator

Hi I also had a same question.

http://splunk-base.splunk.com/answers/53883/how-to-configure-mv_add-in-the-search-language

and I came up with this search...

"some saerch to filter" | rex field=string max_match=10000 "(?<chars>...)" | chart count by string chars

This will get any 3 chars in a field called string.

I hope this also good for you.

Legend

Certainly. By default Splunk will only match once per event and "discard" other matches it finds. This is defined by the MV_ADD parameter in transforms.conf, which is false by default.

MV_ADD = [true|false]
* NOTE: This attribute is only valid for search-time field extractions.
* Optional. Controls what the extractor does when it finds a field which already exists.
* If set to true, the extractor makes the field a multivalued field and appends the 
* newly found value, otherwise the newly found value is discarded.
* Defaults to false

This is if you've setup a REPORT directive in props.conf. If you haven't, but used an EXTRACT directive instead, you will need to convert it to a REPORT and create the corresponding transform in transforms.conf.

View solution in original post