Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to separate results from extraction with multiple similar fields with regex?

SMM10
Explorer
‎05-12-2022 01:36 PM

I am looking through our current alerts and we have a few evaluations that occur like below.

Total_Trade: 129
Total_Value: 300
Total_Amount: 1000

I have a rex like below:

 

 

 

| rex max_match=0 Total_(?<Type>\w+):(?<amount>\w+)

 

 

 


Doing this though I get two fields with multiple events like below.

Type amount
Trade
Value
Amount		 129
300
1000

 

What I wanted was each of these to be separate though/

Type amount

Trade

 129
Value 300
Amount 1000
   
Labels (1)
Labels
Tags (1)
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎05-13-2022 12:56 AM 
| rex max_match=0 "Total_(?<Typeamount>\w+:\s*\w+)"
| mvexpand Typeamount
| rex field=Typeamount "(?<Type>\w+):\s*(?<amount>\w+)"
0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...