Splunk Search
Highlighted

How to write regex to extract all values for a field at search time?

Builder

Hello Guys,

I have the following log, and i need to extract all the TagID. I have wrote this regular expression but it only extract the first TagID

| rex "(?i)(TagID){(?P\w+)}"

Tue Aug 19 2014 04:47:18,515 EDT DEBUG wmservice.business.mobilehospital - [saveDeviceRead2 - HM10042 - roy.imad] Method invoked with parameters : [username]{roy.imad}[deviceId]{HM10042}[macAddress]{XXXX-xxxxx-xxxxx-xxxxxx-xxx}[readPacket]{(TagID){E0040100206E6349}|(TagID){E0040100206E7BA7}|(TagID){E0040100206E7917}|(TagID){E0040100206E7BF7}|(TagID){E0040100206E7BAF}|(TagID){E0040100206E7967}|(TagID){E0040100206E64A1}|(TagID){E0040100206E90F4}|(TagID){E0040100206E64A9}|(TagID){E0040100206E796F}|(TagID){E0040100206E791F}|(TagID){E0040100206E90FC}}[readMode]{A}[updateEventInfo]{(Disposition){}(RGA){}(PO){}(SO){}(DetailDisposition){}(EncounterID){null}(DestinationID){}(ReturnID){null}(DispositionFlag){false}(RGAFlag){false}(POFlag){false}(SOFlag){false}(DetailDispositionFlag){false}(EncounterIDFlag){false}(DestinationIDFlag){false}(ReturnIDFlag){false}}[createAudit]{true}[auditInfo]{(EndpointID){RU00014GN1}(Signature){}(ImageSignature){null}(SignerName){null}(Comment){}}

Highlighted

Re: How to write regex to extract all values for a field at search time?

SplunkTrust
SplunkTrust

Hi royimad,

try something like this:

 | rex "\(TagID\)\{(?<tagid>\w+)\}"

tested and working on http://regexr.com/v1/ with your provided event example...

cheers, MuS

View solution in original post

Highlighted

Re: How to write regex to extract all values for a field at search time?

Builder

if i want only to count the number of occurrence of the word TagID without selecting the values how can i do that

0 Karma
Highlighted

Re: How to write regex to extract all values for a field at search time?

Builder

I just want to count the number of occurrence of the word TagID, is that feasible ?

0 Karma
Highlighted

Re: How to write regex to extract all values for a field at search time?

SplunkTrust
SplunkTrust

working on that in your other question 😉 ....