Solved: How to extract multiple values with the same delim...

christopheducha · ‎07-29-2020

Hi

I'm trying to regex my way into this puzzle, let me explain my problem.

event 1 (field 2) raw value = log:word1 log:word2 log:word3
event 2 (field 2) raw value = log:19 log:word4

or

The value in field2 from the first event (raw value).
log:word1 log:word2 log:word3
The value in field2 from the second event (raw value).
log:19 log:word4

I want to extract these "log:" values into 3 fields.
Something like field log1 , log2 and log3.

So I tried with this regex :

":(?<log1>\S*) log:(?<log2>\S*) log:(?<log3>\S*)"

Works perfectly with event 1, but didn't work for event 2 because there or only 2 “log:” values.

Can anybody tell me how to make this work?

spitchika · ‎07-29-2020

This will give all log values irrespective of number logs. Trick is you need use "max_match" option with rex.

View solution in original post

bowesmana · ‎07-29-2020

You can make the regex use quantifiers, so that 2nd and subsequent extractions are optional using ?

| makeresults
| eval v=split("log:word1 log:word2 log:word3,log:19 log:word4",",")
| mvexpand v
| rex field=v ":(?<log1>\S*)( log:(?<log2>\S*))?( log:(?<log3>\S*))?"

Hope this helps

spitchika · ‎07-29-2020

This will give all log values irrespective of number logs. Trick is you need use "max_match" option with rex.

How to extract multiple values with the same delimiter?

regex

Exciting News: The AppDynamics Community Joins Splunk!

The All New Performance Insights for Splunk

Good Sourcetype Naming

Are you a member of the Splunk Community?

How to extract multiple values with the same delimiter?

regex

Exciting News: The AppDynamics Community Joins Splunk!

The All New Performance Insights for Splunk

Good Sourcetype Naming