Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to write a Regex to search globally?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to write a Regex to search globally?
below is the data which has multiple features for a single item. I want to write a regex which could search all occurrences of feature (not just first occurance) and then count the feature . I have written below search string but count value is not consistent. can someone plz take a look and advice.
Many thanks in advance.
|makeresults
| eval _raw="[{\"\"feature\"\": \"\"INTDATA\"\"},
{\"\"feature\"\": \"\"INTDATA2\"\"},
{\"\"feature\"\": \"\"MGDAT0\"\"},
{\"\"feature\"\": \"\"MGPR2TI\"\"},
{\"\"feature\"\": \"\"MSTORE\"\"},
{\"\"feature\"\": \"\"PNINCLWAP\"\"},
{\"\"feature\"\": \"\"PRMCAFIND\"\"},
{\"\"feature\"\": \"\"3WY\"\"},
{\"\"feature\"\": \"\"CFC\"\"},
{\"\"feature\"\": \"\"CFU\"\"},
{\"\"feature\"\": \"\"CLIP\"\"},
{\"\"feature\"\": \"\"CLIR\"\"},
{\"\"feature\"\": \"\"CLW\"\"},
{\"\"feature\"\": \"\"DATA\"\"},
{\"\"feature\"\": \"\"CAMTAC\"\"},
{\"\"feature\"\": \"\"HOLD\"\"},
{\"\"feature\"\": \"\"INROAM\"\"},
{\"\"feature\"\": \"\"ISP\"\"},
{\"\"feature\"\": \"\"MSTORE\"\"},
{\"\"feature\"\": \"\"NWROAM\"\"},
{\"\"feature\"\": \"\"PERMGL\"\"},
{\"\"feature\"\": \"\"SMSO\"\"},
{\"\"feature\"\": \"\"VM\"\"},
{\"\"feature\"\": \"\"GFLEX\"\"}]"
|rex max_match=0 "\"\"feature\"\": \"\"(?<feature>.*?)\"\"}"
|stats count(feature) by feature
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try like this
|makeresults
| eval _raw="[{\"\"feature\"\": \"\"INTDATA\"\"},
{\"\"feature\"\": \"\"INTDATA2\"\"},
{\"\"feature\"\": \"\"MGDAT0\"\"},
{\"\"feature\"\": \"\"MGPR2TI\"\"},
{\"\"feature\"\": \"\"MSTORE\"\"},
{\"\"feature\"\": \"\"PNINCLWAP\"\"},
{\"\"feature\"\": \"\"PRMCAFIND\"\"},
{\"\"feature\"\": \"\"3WY\"\"},
{\"\"feature\"\": \"\"CFC\"\"},
{\"\"feature\"\": \"\"CFU\"\"},
{\"\"feature\"\": \"\"CLIP\"\"},
{\"\"feature\"\": \"\"CLIR\"\"},
{\"\"feature\"\": \"\"CLW\"\"},
{\"\"feature\"\": \"\"DATA\"\"},
{\"\"feature\"\": \"\"CAMTAC\"\"},
{\"\"feature\"\": \"\"HOLD\"\"},
{\"\"feature\"\": \"\"INROAM\"\"},
{\"\"feature\"\": \"\"ISP\"\"},
{\"\"feature\"\": \"\"MSTORE\"\"},
{\"\"feature\"\": \"\"NWROAM\"\"},
{\"\"feature\"\": \"\"PERMGL\"\"},
{\"\"feature\"\": \"\"SMSO\"\"},
{\"\"feature\"\": \"\"VM\"\"},
{\"\"feature\"\": \"\"GFLEX\"\"}]"
|rex max_match=0 "\"\"feature\"\": \"\"(?<feature>.*?)\"\"}"| mvexpand feature
|stats count(feature) by feature- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thank you that works.
Demo Day: Strengthen Your SOC with Splunk Enterprise Security 8.1
Dashboards: Hiding charts while search is being executed and other uses for tokens
Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...
