At search time, I want to extract multivalued fields. The docs for rex say to use the max_match option.
Example: I want to have a multivalued field containing all hyphenated words in an event.
So for this data:
data one-fish two-fish red-fish rock-fist
My resulting field should be 'hyphenated', with the value of 'one-fish,two-fish,red-fish,rock-fist' (or however it's represented)
My search to extract this field should look like this:
search * | rex field=_raw "(?<hyphenated>\S+\-\S+) max_match=10
This results in "Error in 'rex' command: Invalid argument: 'max_match=10'
Tried this in 4.0.3 and 4.0.7 with no luck. Is this option bogus?
You need to end your "quotation marks" then max match
I think max_match only works outside of the actual rex statement.
Example Event1: 2016-09-22 14:14:34,029 INFO [GOONIES_CHARACTERS-V1] org.goonies.com.babyruth.logger {CHUNK_STATUS=Dead:/color1}
Example Event2: 2016-09-22 14:14:34,029 INFO [GOONIES_CHARACTERS-V1] org.goonies.com.babyruth.logger {CHUNK_STATUS=Alive:/color2}
Example Event3: 2016-09-22 14:14:34,029 INFO [GOONIES_CHARACTERS-V1] org.goonies.com.babyruth.logger {CHUNK_STATUS=Harm:/color3}
index=CHOCOLATE GOONIES_CHARACTERS CHUNK_STATUS=*
| rex "CHUNK_STATUS={(?[a-zA-Z0-9;:. /-]+)}" max_match=100
| table CHNK_STAT _raw
This should put the 3 statsus in a table with the raw event next to it.
Im on splunk 6.3 - hope this helped!
Snoochie Boochies!
I downvoted this post because i upvoted it but it's actually a bad answer
No it is not. It works as documented for me in 4.0.9 and 4.0.10. It appears that it
It looks to me unless you just had a transcription error that you are missing your closing double-quote after your regex though.
Update: It is not in 4.0.3, and the online docs are incorrect if they state they are. (The in-product help, however, is correct and does list all available options in that version, so in case of conflict, go with the in-product help.)
By me on 4.3.3 it doesn't work as designed
max_match=100 is working
but
max_match=0 doesn't work, return no result, in place of unlimited.