I'm using the following regex to extract name from data:
.. | rex "@name='(?P<Name>[^']+)" max_match=0
This works and extracts the Name field multiple times, but I want to extract the Name in multiple fields like Name01, Name02 ...
The reason for this is that I use the ODBC driver to get the search results and this only gets the first Name value.
Here is an example of the data:
COGIPF_REPORTPATH=/content/folder[@name='Reports']/folder[@name='Test company']/folder[@name='Sales']/folder[@name='User reports']/folder[@name='Test User']/analysis[@name='Sales this month']
Hi, try this
.....| rex "@name='(?P[^']+)" max_match=0| eval name1=mvindex(Name,0) | eval name2=mvindex(Name,1) | eval name3=mvindex(Name,2) | eval name4=mvindex(Name,3) | eval name5=mvindex(Name,4)| eval name6=mvindex(Name,5) |table name1 name2 name3 name4 name5 name6
Hi, try this
.....| rex "@name='(?P[^']+)" max_match=0| eval name1=mvindex(Name,0) | eval name2=mvindex(Name,1) | eval name3=mvindex(Name,2) | eval name4=mvindex(Name,3) | eval name5=mvindex(Name,4)| eval name6=mvindex(Name,5) |table name1 name2 name3 name4 name5 name6
Hi
Great, just what I needed.
It even Works through the ODBC connection showing the right data.
Thanks.
you 're welcome
have you looked at mvexpand? http://docs.splunk.com/Documentation/Splunk/6.2.0/SearchReference/Mvexpand
you could pipe an mvexpand command at the end of your rex extraction.
Hi
Thanks for your suggestion.
I have just tried to use mvexpand but this results in multiple events/records.
What I need is a single event with the multivalue field seperated in different fields.