Solved: How can regex extract multiple values?

dbcase · ‎05-24-2018

Hi,

I have the below data and query (with Regex), what I'd like to have the Regex do is extract ALL occurrences of MAC and RSSI values. Is there any way it can do that?

index="camera_status" sourcetype=access_combined_camerastatus|rex "Premise=\s+(?<premiseid>\d+)"|rex "Mac=\s+(?<macid>[a-fA-F0-9\.:-]{12,17})"|rex "RSSI=\s+(?<rssiid>-\d+)"|where rssiid!=0|table premiseid, macid, rssiid

Premise= 434268
Name= Rawr
    IP= 172.16.12.103
    ID= 4
    Mac= 78:94:B4:FF:7F:C4
    FW Ver= 3.0.02.51
    Manufacturer= iControl
    Model= iCamera2-C
    Video Size= LARGE
    Verified= true
    RSSI= -45 dB
    Supported Video Formats= [MJPEG, FLV, RTSP]
    Supported Video Codecs= [H264, MPEG4]
    FLV URL= https://172.16.12.103:80/openhome/streaming/channels/0/flv
    MJPEG URL= https://172.16.12.103:80/openhome/streaming/channels/2/mjpeg
    API Version= 3.3
    MotionTurnedOn= false
    Local Video Aspect Ratio= 16:9
    Local Video Resolution= 1280:720
    Remote Video Aspect Ratio= 16:9
    Remote Video Resolution= 1280:720
Name= SammyCam
    IP= 172.16.12.100
    ID= 2
    Mac= B4:A5:EF:E7:21:91
    FW Ver= 3.0.02.51
    Manufacturer= iControl
    Model= iCamera2-C
    Video Size= LARGE
    Verified= true
    RSSI= -45 dB
    Supported Video Formats= [MJPEG, FLV, RTSP]
    Supported Video Codecs= [H264, MPEG4]
    FLV URL= https://172.16.12.100:80/openhome/streaming/channels/0/flv
    MJPEG URL= https://172.16.12.100:80/openhome/streaming/channels/2/mjpeg
    API Version= 3.3
    MotionTurnedOn= false
    Local Video Aspect Ratio= 16:9
    Local Video Resolution= 1280:720
    Remote Video Aspect Ratio= 16:9
    Remote Video Resolution= 1280:720
Name= Unicorn Zombie Apocalypse
    IP= 172.16.12.102
    ID= 5
    Mac= 78:94:B4:FF:7F:BF
    FW Ver= 3.0.02.51
    Manufacturer= iControl
    Model= iCamera2-C
    Video Size= LARGE
    Verified= true
    RSSI=  dB
    Supported Video Formats= [MJPEG, FLV, RTSP]
    Supported Video Codecs= [H264, MPEG4]
    FLV URL= 
    MJPEG URL= 
    API Version= 3.3
    MotionTurnedOn= false
    Local Video Aspect Ratio= 16:9
    Local Video Resolution= 1280:720
    Remote Video Aspect Ratio= 16:9
    Remote Video Resolution= 1280:720

MuS · ‎05-24-2018

Hi dbcase,

add max_match=0 to all rex like

|rex max_match=0 "Premise=\s+(?<premiseid>\d+)"

Hope this helps ...

cheers, MuS

View solution in original post

wrangler2x · ‎05-24-2018

A small tweak to your capture expression...

|rex max_match=0 field=foo "Mac=\s+(?<macid>[^\n\s]+)"
|rex max_match=0 field=foo "RSSI=\s+(?<rssiid>[^\n\s]+)"

Adding the - in there causes it to miss the third RSSI value, which has no hyphen. These stop on whitespace or end of line.

MuS · ‎05-24-2018

Hi dbcase,

add max_match=0 to all rex like

|rex max_match=0 "Premise=\s+(?<premiseid>\d+)"

Hope this helps ...

cheers, MuS

How can regex extract multiple values?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Event Series: Telemetry Pipeline Management

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

Join the Conversation