Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to extract multiple values from a single field...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have some fields within Splunk that are showing 1 to many values.
One log may have the following:
sig_names="value1,value2,value3"
And another log may have the following:
sig_names="value2,value3"
And one more log may have the following:
sig_names="value1"
Within Splunk, the following will be shown in the Field Extractions:
sig_names
__Values__ ------------------------- __Count__ ------- __%__
value1,value2,value3 -------- _34_ --------- _96%_
value2,value3 ----------------- _4_ -------------_2%_
value1--------------------------- _4_ -------------_2%_
I may have a regex for something like rex field=sigNames "(?P<sigName>[^\x2c]+)"
This returns multiple matches within a single field... each instance of value up until a comma.
But Splunk just matches the first capture and calls it a day. When I use a rex on that field, I get something like:
sigName
__Values__ ------------------------- __Count__ ------- __%__
value1 --------------------------- _38_ -------- _98%_
value2 -------------------------- _4_ -------------_2%_
(notice how value3 is completely omitted as it never came first in any of the strings?)
In the end I want to get a count of EACH value1, EACH value2, and EACH value3 so I end up with something like:
sigName
__Values__ ------------------------- __Count__ ------- __%__
value1 --------------------------- _21_ --------- _98%_
value2 -------------------------- _15_ -----------_2%_
value3 --------------------------- _6_ -----------_2%_
How do I extract multiple values from one field with an unknown amount of value instances using a regex?
(could have a single value with no comma following, or could have 5 values with a comma between each)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Good news - you don't need any regex for this!
your base search
| eval sig_names=split(sig_names, ",")
| stats count by sig_names
The split function will break the sig_names field into multiple values, as desired, and leave the field alone if there are no commas.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Good news - you don't need any regex for this!
your base search
| eval sig_names=split(sig_names, ",")
| stats count by sig_names
The split function will break the sig_names field into multiple values, as desired, and leave the field alone if there are no commas.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions
Splunk Community Badges!
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
