Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How do you use rex's max_match option?

cfergus
Path Finder
‎04-09-2010 07:02 PM

At search time, I want to extract multivalued fields. The docs for rex say to use the max_match option.

Example: I want to have a multivalued field containing all hyphenated words in an event.

So for this data:

data one-fish two-fish red-fish rock-fist

My resulting field should be 'hyphenated', with the value of 'one-fish,two-fish,red-fish,rock-fist' (or however it's represented)

My search to extract this field should look like this:

search * | rex field=_raw "(?<hyphenated>\S+\-\S+) max_match=10

This results in "Error in 'rex' command: Invalid argument: 'max_match=10'

Tried this in 4.0.3 and 4.0.7 with no luck. Is this option bogus?

Tags (1)
Reply

dkeesling
Explorer
‎09-26-2016 12:27 PM

You need to end your "quotation marks" then max match
I think max_match only works outside of the actual rex statement.

Example Event1: 2016-09-22 14:14:34,029 INFO [GOONIES_CHARACTERS-V1] org.goonies.com.babyruth.logger {CHUNK_STATUS=Dead:/color1}
Example Event2: 2016-09-22 14:14:34,029 INFO [GOONIES_CHARACTERS-V1] org.goonies.com.babyruth.logger {CHUNK_STATUS=Alive:/color2}
Example Event3: 2016-09-22 14:14:34,029 INFO [GOONIES_CHARACTERS-V1] org.goonies.com.babyruth.logger {CHUNK_STATUS=Harm:/color3}

index=CHOCOLATE GOONIES_CHARACTERS CHUNK_STATUS=*
| rex "CHUNK_STATUS={(?[a-zA-Z0-9;:. /-]+)}" max_match=100
| table CHNK_STAT _raw

This should put the 3 statsus in a table with the raw event next to it.

Im on splunk 6.3 - hope this helped!

Snoochie Boochies!

Reply

yoho
Contributor
‎07-12-2019 02:19 AM

I downvoted this post because i upvoted it but it's actually a bad answer

0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎04-09-2010 08:16 PM

No it is not. It works as documented for me in 4.0.9 and 4.0.10. It appears that it

It looks to me unless you just had a transcription error that you are missing your closing double-quote after your regex though.

Update: It is not in 4.0.3, and the online docs are incorrect if they state they are. (The in-product help, however, is correct and does list all available options in that version, so in case of conflict, go with the in-product help.)

Reply

sbsbb
Builder
‎05-02-2013 02:07 AM

By me on 4.3.3 it doesn't work as designed
max_match=100 is working
but
max_match=0 doesn't work, return no result, in place of unlimited.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...