Solved: How to capture all "Names" from a single event?

Android99 · ‎04-10-2023

Hi,

Hypothetically speaking, if I have the following event:

q[pworei[qpweori[pqwoeirp[qowier[powierw"NAME":"BOB";POQIWERUPQOWIEUPROIQWEURPOWIERPOWQIUR"NAME":"SAM";qpweoirpwoierupwoiproiqproiw"NAME":"COLT";

I want to have a table with a column title Name, and then have all names included in that row. Preferably in this format: BOB, SAM, COLT. Is this possible?

The problem I run into is when I do:

| rex field=_raw \"NAME\"\:\"(?<Name>\W+)\"

It only captures the first Name. Is there anything I can do where it captures all of the names?

somesoni2 · ‎04-10-2023

Try like this to override default match limit of 1. This will give you a multivalued field 'Name'.

| rex max_match=0 field=_raw \"NAME\"\:\"(?<Name>\W+)\"

You can further use command "| nomv Name" to make it a single valued field.

View solution in original post

somesoni2 · ‎04-10-2023

Try like this to override default match limit of 1. This will give you a multivalued field 'Name'.

| rex max_match=0 field=_raw \"NAME\"\:\"(?<Name>\W+)\"

You can further use command "| nomv Name" to make it a single valued field.

How to capture all "Names" from a single event?

regex

rex

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes