Splunk Search

How to repeat a regex to match more than one instances

att35
Builder

Hi,

We are using following regex to capture "caused by" exceptions within java stack trace.

Caused by: (?P<Exception>[^\r\n]+)

 

When testing in regex101, it seems to be working well. Captures both instances of "caused by" in the sample trace.

https://regex101.com/r/yL1ucO/1 

But when used with EXTRACT within props.conf, Splunk only gets the first instance, i.e. "SomeException". 2nd occurrence, "AnotherException" is not captured.

Should I be using REPEAT_MATCH with transforms stanza, or is there a way to fix this within props itself?

Labels (1)
Tags (1)
0 Karma
1 Solution

PickleRick
SplunkTrust
SplunkTrust

Yes. The additional options are one of the reasons for using TRANSFORM-based exractions instead of REPORT.

Notice, however, that REPEAT_MATCH is for index-time extractions.  You might want to consider MV_ADD

View solution in original post

0 Karma

PickleRick
SplunkTrust
SplunkTrust

Yes. The additional options are one of the reasons for using TRANSFORM-based exractions instead of REPORT.

Notice, however, that REPEAT_MATCH is for index-time extractions.  You might want to consider MV_ADD

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...