Splunk Search

How to capture Multiple values in single group via regex?

abhishekbhasin
Explorer

Need to extract P302 P1 P2 with a single regular ex I build (?<Par>P[1-9][0-9]*) but when I run this in splunk it only captures first (P302)

 [SearchBroker - XXX] - [submitSearch] INFO: XXX [] - submitSearch time=36 pTime={P302=11,P1=7,P301=13,P2=24,P3=23,P4=31,P5=25,P6=23,P300=13,P7=23,P8=24,P9=24,P10=21,P12=24,P11=23,P1000=1,P14=26,P13=24,P16=21,P15=20,P18=20,P17=23} pProcessTime={P302p=10,P1p=6,P301p=12,P2p=23,P3p=22,P4p=30,P5p=24,P6p=23,P300p=13,P7p=23,P8p=24,P9p=24,P10p=21,P12p=23,P11p=22,P1000p=0,P14p=26,P13p=23,P16p=20,P15p=20,P18p=20,P17p=23} pWaitTime=

Labels (3)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

The ellipsis (...) were to indicate the rest of your command - try it like this

| rex max_match=3 "(?<Par>P[1-9][0-9]*)"

View solution in original post

0 Karma

abhishekbhasin
Explorer

Full syntax please rex max_match=3 ...  (?<Par>P[1-9][0-9]*) doesn't work

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

The ellipsis (...) were to indicate the rest of your command - try it like this

| rex max_match=3 "(?<Par>P[1-9][0-9]*)"
0 Karma

abhishekbhasin
Explorer

Thanks!. It works

0 Karma

yuanliu
SplunkTrust
SplunkTrust

Can you explain "doesn't work?"  This is a test:

 

| makeresults
| eval _raw = " [SearchBroker - XXX] - [submitSearch] INFO: XXX [] - submitSearch time=36 pTime={P302=11,P1=7,P301=13,P2=24,P3=23,P4=31,P5=25,P6=23,P300=13,P7=23,P8=24,P9=24,P10=21,P12=24,P11=23,P1000=1,P14=26,P13=24,P16=21,P15=20,P18=20,P17=23} pProcessTime={P302p=10,P1p=6,P301p=12,P2p=23,P3p=22,P4p=30,P5p=24,P6p=23,P300p=13,P7p=23,P8p=24,P9p=24,P10p=21,P12p=23,P11p=22,P1000p=0,P14p=26,P13p=23,P16p=20,P15p=20,P18p=20,P17p=23} pWaitTime="
| rex max_match=3 "(?<Par>P[1-9][0-9]*)"

 

Output is exactly 3 values in Par.

Par
_raw 
P302
P1
P301
[SearchBroker - XXX] - [submitSearch] INFO: XXX [] - submitSearch time=36 pTime={P302=11,P1=7,P301=13,P2=24,P3=23,P4=31,P5=25,P6=23,P300=13,P7=23,P8=24,P9=24,P10=21,P12=24,P11=23,P1000=1,P14=26,P13=24,P16=21,P15=20,P18=20,P17=23} pProcessTime={P302p=10,P1p=6,P301p=12,P2p=23,P3p=22,P4p=30,P5p=24,P6p=23,P300p=13,P7p=23,P8p=24,P9p=24,P10p=21,P12p=23,P11p=22,P1000p=0,P14p=26,P13p=23,P16p=20,P15p=20,P18p=20,P17p=23} pWaitTime=2022-09-08 20:42:37

Maybe you need all of them?  Then max_match=0.

Tags (1)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
| rex max_match=3 ...
0 Karma
Get Updates on the Splunk Community!

Updated Data Type Articles, Anniversary Celebrations, and More on Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

A Prelude to .conf25: Your Guide to Splunk University

Heading to Boston this September for .conf25? Get a jumpstart by arriving a few days early for Splunk ...

4 Ways the Splunk Community Helps You Prepare for .conf25

.conf25 is right around the corner, and whether you’re a first-time attendee or a seasoned Splunker, the ...