Splunk Search

How do you use rex's max_match option?

cfergus
Path Finder

At search time, I want to extract multivalued fields. The docs for rex say to use the max_match option.

Example: I want to have a multivalued field containing all hyphenated words in an event.

So for this data:

data one-fish two-fish red-fish rock-fist

My resulting field should be 'hyphenated', with the value of 'one-fish,two-fish,red-fish,rock-fist' (or however it's represented)

My search to extract this field should look like this:

search * | rex field=_raw "(?<hyphenated>\S+\-\S+) max_match=10

This results in "Error in 'rex' command: Invalid argument: 'max_match=10'

Tried this in 4.0.3 and 4.0.7 with no luck. Is this option bogus?

Tags (1)

dkeesling
Explorer

You need to end your "quotation marks" then max match
I think max_match only works outside of the actual rex statement.

Example Event1: 2016-09-22 14:14:34,029 INFO [GOONIES_CHARACTERS-V1] org.goonies.com.babyruth.logger {CHUNK_STATUS=Dead:/color1}
Example Event2: 2016-09-22 14:14:34,029 INFO [GOONIES_CHARACTERS-V1] org.goonies.com.babyruth.logger {CHUNK_STATUS=Alive:/color2}
Example Event3: 2016-09-22 14:14:34,029 INFO [GOONIES_CHARACTERS-V1] org.goonies.com.babyruth.logger {CHUNK_STATUS=Harm:/color3}

index=CHOCOLATE GOONIES_CHARACTERS CHUNK_STATUS=*
| rex "CHUNK_STATUS={(?[a-zA-Z0-9;:. /-]+)}" max_match=100
| table CHNK_STAT _raw

This should put the 3 statsus in a table with the raw event next to it.

Im on splunk 6.3 - hope this helped!

Snoochie Boochies!

yoho
Contributor

I downvoted this post because i upvoted it but it's actually a bad answer

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

No it is not. It works as documented for me in 4.0.9 and 4.0.10. It appears that it

It looks to me unless you just had a transcription error that you are missing your closing double-quote after your regex though.

Update: It is not in 4.0.3, and the online docs are incorrect if they state they are. (The in-product help, however, is correct and does list all available options in that version, so in case of conflict, go with the in-product help.)

sbsbb
Builder

By me on 4.3.3 it doesn't work as designed
max_match=100 is working
but
max_match=0 doesn't work, return no result, in place of unlimited.

0 Karma
Get Updates on the Splunk Community!

Explore the Latest Educational Offerings from Splunk [January 2025 Updates]

At Splunk Education, we are committed to providing a robust learning experience for all users, regardless of ...

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

For the past four years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...