Solved: How to create a regular expression on a multivalue...

jlkokko · ‎03-08-2017

I have a multivalue (MV) field "filetypes" with values such as:

test/Makefile.am,test/och_test.cc,test/fully1.py,24,FKP/pro.pl

I need to keep only the extension listed (such as am, cc, py, pl, etc..) so I have two questions:

A. The appropriate regular expression
B. Is it more appropriate to run a regex prior splitting a MV field or after?

somesoni2 · ‎03-08-2017

Try like this. It'll create a new field with just the extn.

your base search with file filetype
| rex field=filetypes max_match=0 "(?<extns>\.\w+)"

View solution in original post

jlkokko · ‎03-08-2017

Both of the above worked well...wondering if one less expensive than the other

woodcock · ‎03-08-2017

Like this:

... | mvexpand filetypes | rex field=filetypes "^(?<file_prefix>.+)\.(?<file_suffix>[^\.]+)$"

woodcock · ‎03-08-2017

Mine was geared towards enabling the later commands that you will surely be interested in doing. You can look at the Job Inspector to compare efficiencies.

somesoni2 · ‎03-08-2017

Try like this. It'll create a new field with just the extn.

your base search with file filetype
| rex field=filetypes max_match=0 "(?<extns>\.\w+)"

How to create a regular expression on a multivalue field

Aligning Observability Costs with Business Value: Practical Strategies

Mastering Data Pipelines: Unlocking Value with Splunk

Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0

Are you a member of the Splunk Community?

How to create a regular expression on a multivalue field

Aligning Observability Costs with Business Value: Practical Strategies

Mastering Data Pipelines: Unlocking Value with Splunk

Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0