Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I write the regex to extract all instances of this field from unstructured data?

sushmitha_mj
Communicator
‎06-06-2016 11:02 AM

This is the first time I am using IFE and having some difficulty extracting data. I am not good at regex, so I used the Interactive Field Extractor to extract the field.

I have the string trans(1234) in the records. I am creating a field Trans - this field is storing the number inside the brackets as the value. In this case, Value is 1234. I have multiple such trans(####) vales in one entry. Splunk is identifying just the first occurring such trans(value) in each record. Is there a way to identify all of the different trans() in each event as a separate entry?

Also is there a good documentation with examples on how to write rex for beginners?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sundareshr
Legend
‎06-06-2016 11:11 AM

IFX does not do well with regex and particularly with multi-value fields. Try this in your search instead

.... | rex max_match=0 "trans\((?<trans>\d+)\)" | table trans

View solution in original post

Reply
Solved! Jump to solution
Solution

sundareshr
Legend
‎06-06-2016 11:11 AM

IFX does not do well with regex and particularly with multi-value fields. Try this in your search instead

.... | rex max_match=0 "trans\((?<trans>\d+)\)" | table trans
Reply
Solved! Jump to solution

sushmitha_mj
Communicator
‎06-06-2016 12:03 PM

Do you suggest I use this expression in the "write your own regular expression section inside the Extract fields?

When I write it as a query it works but inside the extract fields regex it does not work....

0 Karma
Reply
Solved! Jump to solution

sushmitha_mj
Communicator
‎06-06-2016 01:03 PM

If I put this on the regex part : trans((?\d+)) It identifies the first trans id in each event. How can I extract all the trans as a separate field? I am unable to specify max_match =0.

0 Karma
Reply
Solved! Jump to solution

sundareshr
Legend
‎06-06-2016 01:15 PM

In the transforms, you need to use MV_ADD=true

MV_ADD = [true|false]
* NOTE: This attribute is only valid for search-time field extractions.
* Optional. Controls what the extractor does when it finds a field which already exists.
* If set to true, the extractor makes the field a multivalued field and appends the 
* newly found value, otherwise the newly found value is discarded.
* Defaults to false
0 Karma
Reply
Solved! Jump to solution

sundareshr
Legend
‎06-06-2016 01:00 PM

you cannot use max_match in IFX. However, you update your conf files to extract this field at search time. Here's some good docs on that http://docs.splunk.com/Documentation/Splunk/6.4.1/Knowledge/Createandmaintainsearch-timefieldextract...

0 Karma
Reply
Solved! Jump to solution

sushmitha_mj
Communicator
‎06-06-2016 01:18 PM

Looks like there is no way I can extract multiple values in same row using IFX then. Thanks

0 Karma
Reply
Get Updates on the Splunk Community!

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...