Splunk Search
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I write the regex to extract all instances of this field from unstructured data?

sushmitha_mj
Communicator
‎06-06-2016 11:02 AM

This is the first time I am using IFE and having some difficulty extracting data. I am not good at regex, so I used the Interactive Field Extractor to extract the field.

I have the string trans(1234) in the records. I am creating a field Trans - this field is storing the number inside the brackets as the value. In this case, Value is 1234. I have multiple such trans(####) vales in one entry. Splunk is identifying just the first occurring such trans(value) in each record. Is there a way to identify all of the different trans() in each event as a separate entry?

Also is there a good documentation with examples on how to write rex for beginners?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sundareshr
Legend
‎06-06-2016 11:11 AM

IFX does not do well with regex and particularly with multi-value fields. Try this in your search instead

.... | rex max_match=0 "trans\((?<trans>\d+)\)" | table trans

View solution in original post

Reply
Solved! Jump to solution
Solution

sundareshr
Legend
‎06-06-2016 11:11 AM

IFX does not do well with regex and particularly with multi-value fields. Try this in your search instead

.... | rex max_match=0 "trans\((?<trans>\d+)\)" | table trans
Reply
Solved! Jump to solution

sushmitha_mj
Communicator
‎06-06-2016 12:03 PM

Do you suggest I use this expression in the "write your own regular expression section inside the Extract fields?

When I write it as a query it works but inside the extract fields regex it does not work....

0 Karma
Reply
Solved! Jump to solution

sushmitha_mj
Communicator
‎06-06-2016 01:03 PM

If I put this on the regex part : trans((?\d+)) It identifies the first trans id in each event. How can I extract all the trans as a separate field? I am unable to specify max_match =0.

0 Karma
Reply
Solved! Jump to solution

sundareshr
Legend
‎06-06-2016 01:15 PM

In the transforms, you need to use MV_ADD=true

MV_ADD = [true|false]
* NOTE: This attribute is only valid for search-time field extractions.
* Optional. Controls what the extractor does when it finds a field which already exists.
* If set to true, the extractor makes the field a multivalued field and appends the 
* newly found value, otherwise the newly found value is discarded.
* Defaults to false
0 Karma
Reply
Solved! Jump to solution

sundareshr
Legend
‎06-06-2016 01:00 PM

you cannot use max_match in IFX. However, you update your conf files to extract this field at search time. Here's some good docs on that http://docs.splunk.com/Documentation/Splunk/6.4.1/Knowledge/Createandmaintainsearch-timefieldextract...

0 Karma
Reply
Solved! Jump to solution

sushmitha_mj
Communicator
‎06-06-2016 01:18 PM

Looks like there is no way I can extract multiple values in same row using IFX then. Thanks

0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Brett Adams

In our third Spotlight feature, we're excited to shine a light on Brett—a Splunk consultant, innovative ...

Index This | What can you do to make 55,555 equal 500?

April 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...
Top