Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

INLINE EXTRACTION with /g option for RegEX

verbal_666
Builder
‎07-07-2023 02:40 AM

Hi.
Question:
is there a way to add the classic /g option for RegEX in INLINE RegEX extractor for Splunk (props), without using command rex or other tranformations?

Example,

 

SerialNumber=12345,SerialNumber=67890

 

With a classical regex, "/SerialNumber=(?P<sn>\d+)/g" i can found "12345" & "67890".
Same with an SPL "rex max-match=0 "SerialNumber=(?P<sn>\d+)".
But how to do it in INLINE extraction?

I got rid of the "problem" using extraction of "sn1" & "sn2" fields and transforming them with an eval transformation ("sn = sn1.' , '.sn2") and it works fine. But if, tomorrow, i'll find something like

 

SerialNumber=12345,SerialNumber=67890,SerialNumber=09876,SerialNumber=54321

 


Without the rex i would be in trouble!

Thanks.

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎07-07-2023 02:56 AM

Have you tried

MV_ADD = true

View solution in original post

Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎07-07-2023 02:56 AM

Have you tried

MV_ADD = true
Reply
Solved! Jump to solution

verbal_666
Builder
‎07-07-2023 03:40 AM

Ok with props & transforms solution.
Ticking the "create mv fields", adds the MV_ADD to transforms and does the trick.
I was going to prefer to only use props, but it's ok 👍👍👍

ps. the "(?g)" text in regex INLINE gives errors in regex format.

Thanks all 😊

0 Karma
Reply
Solved! Jump to solution

verbal_666
Builder
‎07-07-2023 03:07 AM

Mmmmm... where? 🙄😁 ... in transforms.conf?
So there is no WebIf option to do it?

0 Karma
Reply
Solved! Jump to solution

isoutamo
SplunkTrust
SplunkTrust
‎07-07-2023 03:15 AM

Hi

have you try to use (?g) on beginning of regex? Another option is use transforms and then MV as @ITWhisperer already proposed.

r. Ismo

0 Karma
Reply
Solved! Jump to solution

verbal_666
Builder
‎07-07-2023 03:17 AM

I'll try the "?g" on beginning. I tried the "/g" at the end, but without success 😏
I prefer to only use props and not also transforms.
Thanks anyway.

0 Karma
Reply
Solved! Jump to solution

isoutamo
SplunkTrust
SplunkTrust
‎07-07-2023 03:19 AM
Like this (?g) or just ?g, brackets is mandatory.
0 Karma
Reply
Get Updates on the Splunk Community!

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...

Alerting Best Practices: How to Create Good Detectors

At their best, detectors and the alerts they trigger notify teams when applications aren’t performing as ...

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...

Hey Splunky people! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2408. In this ...