Solved: Re: How to rex multiple lines

garujoey · ‎05-10-2018

Hi there,

I am a newbie in Splunk and trying to do some search using the rex.

The log body is like:

blah blah
Dest : aaa
blah blah
Dest: bbb
blah blah
Dest: ccc

I searched online and used some command like ' rex field=_raw "(?s)Dest : (?.*)" ' or (?smi), but it wasn't what I wanted.

I need the output to only get the table like
aaa
bbb
ccc

Is there any way to do that?

Thank you very much in advance!
:)

woodcock · ‎05-10-2018

Like this:

| rex max_match=0 "(?ms)\s+Dest:\s+(?<Dest>\S+)"
| stats values(Dest) AS Dests

View solution in original post

davey1985 · ‎05-10-2018

To get it into a table on its own it would be:

| rex "Dest:\s+(?<Data>.*)"
| table Data

jimodonald · ‎05-10-2018

Try this:

|  rex field=_raw "Dest\s*:\s(?P<myfield>.*)"

woodcock · ‎05-10-2018

Like this:

| rex max_match=0 "(?ms)\s+Dest:\s+(?<Dest>\S+)"
| stats values(Dest) AS Dests

davey1985 · ‎05-10-2018

+1 i misinterpretted. max_match=0 would get multiple results

garujoey · ‎05-10-2018

Thanks woodcock, I used "| rex max_match=0 field=_raw "(?)Dest : (?.*)" | table path" in the end, but your suggestion to use "max_match=0" really helps!

woodcock · ‎05-10-2018

That is the whole point, is it not?

How to rex multiple lines

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Quantify Your Splunk Investment Impact: Introducing Savings Metrics to Value Insights

Event Series: Telemetry Pipeline Management

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Join the Conversation