Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Is it possible to use max_match inside a datamodel rex definition?

tonniea
Explorer
‎04-29-2018 05:00 AM

In the definition of a datamodel, I would like to use a regular expression with argument max_match=10 or max_match=0. In the datamodel editor this doesn't seem to be possible.

Any thoughts?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

xpac
SplunkTrust
SplunkTrust
‎04-30-2018 01:04 AM

Reposting the comment of @tonniea so it doesn't get lost 🙂

In the field definition of the datamodel for your rex field you find this:

"calculationType":"Rex","expression":"(?[^<]?)<"},{"outputFields":[{"fieldName":"cpu_load","owner":"cpu2","type":"string","fieldSearch":"","required":false,"multivalue":false*,"hidden":false...etc

If you change the "multivalue" attribute to true, import the datamodel and restart Splunk this appears to be working as intended.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

xpac
SplunkTrust
SplunkTrust
‎04-30-2018 01:04 AM

Reposting the comment of @tonniea so it doesn't get lost 🙂

In the field definition of the datamodel for your rex field you find this:

"calculationType":"Rex","expression":"(?[^<]?)<"},{"outputFields":[{"fieldName":"cpu_load","owner":"cpu2","type":"string","fieldSearch":"","required":false,"multivalue":false*,"hidden":false...etc

If you change the "multivalue" attribute to true, import the datamodel and restart Splunk this appears to be working as intended.
0 Karma
Reply
Solved! Jump to solution

monteiroh
Explorer
‎01-20-2020 06:24 AM

did u get this to work?

0 Karma
Reply
Solved! Jump to solution

tomaszwrona
Explorer
‎05-17-2019 11:44 AM

Hi,

i have tried this approach, changed multivalve to true and restarted Splunk. Sadly it didn't work in 7.2.6.
Is there something different? How else can I put into data model regular expression fields with max_match=0?

Best regards
Tomasz

0 Karma
Reply
Solved! Jump to solution

xpac
SplunkTrust
SplunkTrust
‎04-29-2018 06:36 AM

Without trying - the datamodels are saved as a file, maybe you can try to manually manipulate/add that setting there?

Reply
Solved! Jump to solution

tonniea
Explorer
‎04-29-2018 11:10 PM

Thanks for the hint. In the JSON export I found a multivalue option that I'm going to try. Too bad this isn't accessible via the editor.

0 Karma
Reply
Solved! Jump to solution

xpac
SplunkTrust
SplunkTrust
‎04-30-2018 12:01 AM

Good to know. Now that you have the details at hand, you could post an answer to your own question so others Googling for it can profit of your experience 😉

0 Karma
Reply
Solved! Jump to solution

tonniea
Explorer
‎04-30-2018 12:09 AM

Yep, sure...

In the field definition of the datamodel for your rex field you find this:

"calculationType":"Rex","expression":"(?[^<]?)<"},{"outputFields":[{"fieldName":"cpu_load","owner":"cpu2","type":"string","fieldSearch":"","required":false,"multivalue":false*,"hidden":false...etc

If you change the "multivalue" attribute to true, import the datamodel and restart Splunk this appears to be working as intended.

Reply
Get Updates on the Splunk Community!

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

For the past four years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...

Data-Driven Success: Splunk & Financial Services

Splunk streamlines the process of extracting insights from large volumes of data. In this fast-paced world, ...