Splunk Search

How to write regex or MV command to extract multiple values?

Path Finder

Hi,

I have a list of Locate ID's (below) that are contained within a single event in Splunk. I am trying to create regex to pull the values out and list all of them into 1 specified field. The problem is that the numbers vary(locateIds_4, locateIds_7, etc..)

locateIds_0=135cc17a-44ce-4318-abce-e1ffc8652c91, locateIds_4=c296725b-1cca-495d-87cf-962fc6c7a0a0, locateIds_3=874d96b2-eee0-4e85-800b-4b6003a0fed5, locateIds_2=4c5e3c30-d43d-49c1-bbcd-77264221393f, locateIds_1=a60587d4-e709-468f-a85d-d6c4389e83f8, locateIds_6=a6676901-37c8-4a05-ac79-765ebccaadef, locateIds_5=4446b0ca-0c1e-4ea5-b474-375235e10a6f

The regex I have is: rex field=_raw "(?i) .*?: \{(?P<FIELDNAME3>[[a-z]+_[0-100]])"

I cannot seem to capture the right way to extract ONLY the located ID even if the number(s) change. Also, would the mv command be useful as well? I have not used it before so any feedback is greatly appreciated!

0 Karma
1 Solution

Path Finder

Here's how you'd do it with a regex:

| rex field=_raw max_match=100 "(?:locateIds_\d{1,2}=)(?<fieldName>[^,\s]*)"

View solution in original post

Path Finder

Here's how you'd do it with a regex:

| rex field=_raw max_match=100 "(?:locateIds_\d{1,2}=)(?<fieldName>[^,\s]*)"

View solution in original post

Path Finder

Thanks! I was just reading up on the possibilities of regex with setting a match when I saw this.

0 Karma

Champion

If that is how your raw data looks like you probably want to use the extract command.

... | extract pairdelim=",", kvdelim="=" mv_add=true

http://docs.splunk.com/Documentation/Splunk/6.2.4/SearchReference/Extract

0 Karma

Revered Legend

This will not work. Since the attribute name is different for each pair, the extract will not combine all localeIDs into 1.

0 Karma