Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How can regex extract multiple values?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
dbcase
Motivator
05-24-2018
01:52 PM
Hi,
I have the below data and query (with Regex), what I'd like to have the Regex do is extract ALL occurrences of MAC and RSSI values. Is there any way it can do that?
index="camera_status" sourcetype=access_combined_camerastatus|rex "Premise=\s+(?<premiseid>\d+)"|rex "Mac=\s+(?<macid>[a-fA-F0-9\.:-]{12,17})"|rex "RSSI=\s+(?<rssiid>-\d+)"|where rssiid!=0|table premiseid, macid, rssiid
Premise= 434268
Name= Rawr
IP= 172.16.12.103
ID= 4
Mac= 78:94:B4:FF:7F:C4
FW Ver= 3.0.02.51
Manufacturer= iControl
Model= iCamera2-C
Video Size= LARGE
Verified= true
RSSI= -45 dB
Supported Video Formats= [MJPEG, FLV, RTSP]
Supported Video Codecs= [H264, MPEG4]
FLV URL= https://172.16.12.103:80/openhome/streaming/channels/0/flv
MJPEG URL= https://172.16.12.103:80/openhome/streaming/channels/2/mjpeg
API Version= 3.3
MotionTurnedOn= false
Local Video Aspect Ratio= 16:9
Local Video Resolution= 1280:720
Remote Video Aspect Ratio= 16:9
Remote Video Resolution= 1280:720
Name= SammyCam
IP= 172.16.12.100
ID= 2
Mac= B4:A5:EF:E7:21:91
FW Ver= 3.0.02.51
Manufacturer= iControl
Model= iCamera2-C
Video Size= LARGE
Verified= true
RSSI= -45 dB
Supported Video Formats= [MJPEG, FLV, RTSP]
Supported Video Codecs= [H264, MPEG4]
FLV URL= https://172.16.12.100:80/openhome/streaming/channels/0/flv
MJPEG URL= https://172.16.12.100:80/openhome/streaming/channels/2/mjpeg
API Version= 3.3
MotionTurnedOn= false
Local Video Aspect Ratio= 16:9
Local Video Resolution= 1280:720
Remote Video Aspect Ratio= 16:9
Remote Video Resolution= 1280:720
Name= Unicorn Zombie Apocalypse
IP= 172.16.12.102
ID= 5
Mac= 78:94:B4:FF:7F:BF
FW Ver= 3.0.02.51
Manufacturer= iControl
Model= iCamera2-C
Video Size= LARGE
Verified= true
RSSI= dB
Supported Video Formats= [MJPEG, FLV, RTSP]
Supported Video Codecs= [H264, MPEG4]
FLV URL=
MJPEG URL=
API Version= 3.3
MotionTurnedOn= false
Local Video Aspect Ratio= 16:9
Local Video Resolution= 1280:720
Remote Video Aspect Ratio= 16:9
Remote Video Resolution= 1280:720
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
MuS
Legend
05-24-2018
02:00 PM
Hi dbcase,
add max_match=0 to all rex like
|rex max_match=0 "Premise=\s+(?<premiseid>\d+)"
Hope this helps ...
cheers, MuS
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
wrangler2x
Motivator
05-24-2018
03:04 PM
A small tweak to your capture expression...
|rex max_match=0 field=foo "Mac=\s+(?<macid>[^\n\s]+)"
|rex max_match=0 field=foo "RSSI=\s+(?<rssiid>[^\n\s]+)"
Adding the - in there causes it to miss the third RSSI value, which has no hyphen. These stop on whitespace or end of line.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
MuS
Legend
05-24-2018
02:00 PM
Hi dbcase,
add max_match=0 to all rex like
|rex max_match=0 "Premise=\s+(?<premiseid>\d+)"
Hope this helps ...
cheers, MuS
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Get Updates on the Splunk Community!
Maximizing the Value of Splunk ES 8.x
Splunk Enterprise Security (ES) continues to be a leader in the Gartner Magic Quadrant, reflecting its pivotal ...
Operationalizing TDIR: Building a More Resilient, Scalable SOC
Optimizing SOC workflows with a unified, risk-based approach to Threat Detection, Investigation, and Response ...
Introducing .conf Stories Series!
“.conf Stories” Series – First Feature: Rich Mahlerwein
Every year .conf brings together some of the most ...
