Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to separate results from extraction with multiple similar fields with regex?

SMM10
Explorer
‎05-12-2022 01:36 PM

I am looking through our current alerts and we have a few evaluations that occur like below.

Total_Trade: 129
Total_Value: 300
Total_Amount: 1000

I have a rex like below:

 

 

 

| rex max_match=0 Total_(?<Type>\w+):(?<amount>\w+)

 

 

 


Doing this though I get two fields with multiple events like below.

Type amount
Trade
Value
Amount		 129
300
1000

 

What I wanted was each of these to be separate though/

Type amount

Trade

 129
Value 300
Amount 1000
   
Labels (1)
Labels
Tags (1)
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎05-13-2022 12:56 AM 
| rex max_match=0 "Total_(?<Typeamount>\w+:\s*\w+)"
| mvexpand Typeamount
| rex field=Typeamount "(?<Type>\w+):\s*(?<amount>\w+)"
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...