Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to rex multiple lines
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
garujoey
Engager
05-10-2018
03:39 AM
Hi there,
I am a newbie in Splunk and trying to do some search using the rex.
The log body is like:
blah blah
Dest : aaa
blah blah
Dest: bbb
blah blah
Dest: ccc
I searched online and used some command like ' rex field=_raw "(?s)Dest : (?.*)" ' or (?smi), but it wasn't what I wanted.
I need the output to only get the table like
aaa
bbb
ccc
Is there any way to do that?
Thank you very much in advance!
:)
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
05-10-2018
07:19 AM
Like this:
| rex max_match=0 "(?ms)\s+Dest:\s+(?<Dest>\S+)"
| stats values(Dest) AS Dests
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
davey1985
Explorer
05-10-2018
08:02 AM
To get it into a table on its own it would be:
| rex "Dest:\s+(?<Data>.*)"
| table Data
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jimodonald
Contributor
05-10-2018
07:25 AM
Try this:
| rex field=_raw "Dest\s*:\s(?P<myfield>.*)"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
05-10-2018
07:19 AM
Like this:
| rex max_match=0 "(?ms)\s+Dest:\s+(?<Dest>\S+)"
| stats values(Dest) AS Dests
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
davey1985
Explorer
05-10-2018
08:22 AM
+1 i misinterpretted. max_match=0 would get multiple results
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
garujoey
Engager
05-10-2018
07:14 PM
Thanks woodcock, I used "| rex max_match=0 field=_raw "(?)Dest : (?.*)" | table path" in the end, but your suggestion to use "max_match=0" really helps!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
05-10-2018
10:29 AM
That is the whole point, is it not?
Got questions? Get answers!
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Meet up IRL or virtually!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Get Updates on the Splunk Community!
IT Service Intelligence 5.0 Series: Your Guide to the June Launch
We are excited to announce the June release of Splunk IT Service Intelligence (ITSI) 5.0. This update ...
Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0
Are you ready to transform how your team handles complex data requests?
We invite you to our upcoming ...
Announcing Modern Navigation: A New Era of Splunk User Experience
We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...
