Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to create a regular expression on a multivalue...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jlkokko
Path Finder
03-08-2017
07:38 AM
I have a multivalue (MV) field "filetypes" with values such as:
test/Makefile.am,test/och_test.cc,test/fully1.py,24,FKP/pro.pl
I need to keep only the extension listed (such as am, cc, py, pl, etc..) so I have two questions:
A. The appropriate regular expression
B. Is it more appropriate to run a regex prior splitting a MV field or after?
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
03-08-2017
08:04 AM
Try like this. It'll create a new field with just the extn.
your base search with file filetype
| rex field=filetypes max_match=0 "(?<extns>\.\w+)"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jlkokko
Path Finder
03-08-2017
10:27 AM
Both of the above worked well...wondering if one less expensive than the other
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
03-08-2017
10:03 AM
Like this:
... | mvexpand filetypes | rex field=filetypes "^(?<file_prefix>.+)\.(?<file_suffix>[^\.]+)$"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
03-08-2017
10:37 AM
Mine was geared towards enabling the later commands that you will surely be interested in doing. You can look at the Job Inspector to compare efficiencies.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
03-08-2017
08:04 AM
Try like this. It'll create a new field with just the extn.
your base search with file filetype
| rex field=filetypes max_match=0 "(?<extns>\.\w+)"
Get Updates on the Splunk Community!
New This Month - Splunk Observability updates and improvements for faster ...
What’s New?
This month, we’re delivering several enhancements across Splunk Observability Cloud for faster and ...
What's New in Splunk Cloud Platform 9.3.2411?
Hey Splunky People! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2411. This release ...
Buttercup Games: Further Dashboarding Techniques (Part 6)
This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
