Splunk Search

How to write regex to extract all values for a field at search time?

royimad
Builder

Hello Guys,

I have the following log, and i need to extract all the TagID. I have wrote this regular expression but it only extract the first TagID

| rex "(?i)(TagID){(?P\w+)}"

Tue Aug 19 2014 04:47:18,515 EDT DEBUG wmservice.business.mobilehospital - [saveDeviceRead2 - HM10042 - roy.imad] Method invoked with parameters : [username]{roy.imad}[deviceId]{HM10042}[macAddress]{XXXX-xxxxx-xxxxx-xxxxxx-xxx}[readPacket]{(TagID){E0040100206E6349}|(TagID){E0040100206E7BA7}|(TagID){E0040100206E7917}|(TagID){E0040100206E7BF7}|(TagID){E0040100206E7BAF}|(TagID){E0040100206E7967}|(TagID){E0040100206E64A1}|(TagID){E0040100206E90F4}|(TagID){E0040100206E64A9}|(TagID){E0040100206E796F}|(TagID){E0040100206E791F}|(TagID){E0040100206E90FC}}[readMode]{A}[updateEventInfo]{(Disposition){}(RGA){}(PO){}(SO){}(DetailDisposition){}(EncounterID){null}(DestinationID){}(ReturnID){null}(DispositionFlag){false}(RGAFlag){false}(POFlag){false}(SOFlag){false}(DetailDispositionFlag){false}(EncounterIDFlag){false}(DestinationIDFlag){false}(ReturnIDFlag){false}}[createAudit]{true}[auditInfo]{(EndpointID){RU00014GN1}(Signature){}(ImageSignature){null}(SignerName){null}(Comment){}}

1 Solution

MuS
Legend

Hi royimad,

try something like this:

 | rex "\(TagID\)\{(?<tagid>\w+)\}"

tested and working on http://regexr.com/v1/ with your provided event example...

cheers, MuS

View solution in original post

MuS
Legend

Hi royimad,

try something like this:

 | rex "\(TagID\)\{(?<tagid>\w+)\}"

tested and working on http://regexr.com/v1/ with your provided event example...

cheers, MuS

MuS
Legend

working on that in your other question 😉 ....

royimad
Builder

I just want to count the number of occurrence of the word TagID, is that feasible ?

0 Karma

royimad
Builder

if i want only to count the number of occurrence of the word TagID without selecting the values how can i do that

0 Karma
Get Updates on the Splunk Community!

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...

New Dates, New City: Save the Date for .conf25!

Wake up, babe! New .conf25 dates AND location just dropped!! That's right, this year, .conf25 is taking place ...

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...