Splunk Search

Is it possible to use max_match inside a datamodel rex definition?

tonniea
Explorer

In the definition of a datamodel, I would like to use a regular expression with argument max_match=10 or max_match=0. In the datamodel editor this doesn't seem to be possible.

Any thoughts?

Tags (1)
0 Karma
1 Solution

xpac
SplunkTrust
SplunkTrust

Reposting the comment of @tonniea so it doesn't get lost 🙂

In the field definition of the datamodel for your rex field you find this:

"calculationType":"Rex","expression":"(?[^<]?)<"},{"outputFields":[{"fieldName":"cpu_load","owner":"cpu2","type":"string","fieldSearch":"","required":false,"multivalue":false*,"hidden":false...etc

If you change the "multivalue" attribute to true, import the datamodel and restart Splunk this appears to be working as intended.

View solution in original post

0 Karma

xpac
SplunkTrust
SplunkTrust

Reposting the comment of @tonniea so it doesn't get lost 🙂

In the field definition of the datamodel for your rex field you find this:

"calculationType":"Rex","expression":"(?[^<]?)<"},{"outputFields":[{"fieldName":"cpu_load","owner":"cpu2","type":"string","fieldSearch":"","required":false,"multivalue":false*,"hidden":false...etc

If you change the "multivalue" attribute to true, import the datamodel and restart Splunk this appears to be working as intended.
0 Karma

monteiroh
Explorer

did u get this to work?

0 Karma

tomaszwrona
Explorer

Hi,

i have tried this approach, changed multivalve to true and restarted Splunk. Sadly it didn't work in 7.2.6.
Is there something different? How else can I put into data model regular expression fields with max_match=0?

Best regards
Tomasz

0 Karma

xpac
SplunkTrust
SplunkTrust

Without trying - the datamodels are saved as a file, maybe you can try to manually manipulate/add that setting there?

tonniea
Explorer

Thanks for the hint. In the JSON export I found a multivalue option that I'm going to try. Too bad this isn't accessible via the editor.

0 Karma

xpac
SplunkTrust
SplunkTrust

Good to know. Now that you have the details at hand, you could post an answer to your own question so others Googling for it can profit of your experience 😉

0 Karma

tonniea
Explorer

Yep, sure...

In the field definition of the datamodel for your rex field you find this:

"calculationType":"Rex","expression":"(?[^<]?)<"},{"outputFields":[{"fieldName":"cpu_load","owner":"cpu2","type":"string","fieldSearch":"","required":false,"multivalue":false*,"hidden":false...etc

If you change the "multivalue" attribute to true, import the datamodel and restart Splunk this appears to be working as intended.

Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...