Solved: How to extract multiple values with the same delim...

christopheducha · ‎07-29-2020

Hi

I'm trying to regex my way into this puzzle, let me explain my problem.

event 1 (field 2) raw value = log:word1 log:word2 log:word3
event 2 (field 2) raw value = log:19 log:word4

or

The value in field2 from the first event (raw value).
log:word1 log:word2 log:word3
The value in field2 from the second event (raw value).
log:19 log:word4

I want to extract these "log:" values into 3 fields.
Something like field log1 , log2 and log3.

So I tried with this regex :

":(?<log1>\S*) log:(?<log2>\S*) log:(?<log3>\S*)"

Works perfectly with event 1, but didn't work for event 2 because there or only 2 “log:” values.

Can anybody tell me how to make this work?

spitchika · ‎07-29-2020

This will give all log values irrespective of number logs. Trick is you need use "max_match" option with rex.

View solution in original post

bowesmana · ‎07-29-2020

You can make the regex use quantifiers, so that 2nd and subsequent extractions are optional using ?

| makeresults
| eval v=split("log:word1 log:word2 log:word3,log:19 log:word4",",")
| mvexpand v
| rex field=v ":(?<log1>\S*)( log:(?<log2>\S*))?( log:(?<log3>\S*))?"

Hope this helps

spitchika · ‎07-29-2020

This will give all log values irrespective of number logs. Trick is you need use "max_match" option with rex.

How to extract multiple values with the same delimiter?

regex

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

Join the Conversation