Splunk Search

Multiple Values per Event - transforms.conf regex

lohans
Explorer

I am trying to pick out all the Email addresses from the sample data below:

USER:Peter Pan
EMAIL:email@email.com
EMAIL:email1@email.com
EMAIL:email2@email.com
EMAIL:email3@email.com
EMAIL:email4@email.com
EMAIL:email5@email.com
USER:Bob Scott
EMAIL:email@email.com
EMAIL:email1@email.com
EMAIL:email2@email.com
EMAIL:email3@email.com
EMAIL:email4@email.com
EMAIL:email5@email.com
USER:Tomas Uncle
EMAIL:email@email.com
EMAIL:email1@email.com
EMAIL:email2@email.com
EMAIL:email3@email.com
EMAIL:email4@email.com
EMAIL:email5@email.com

Now this regex with rex works fine and picks up all the email addresses

rex field=_raw max_match=15 "EMAIL:(?<test>.*?)\n"

But how do i specify in transforms.conf to match multiple times??

There is no max_match option for transforms.conf
Here is my transforms.conf

[get-emails]
REGEX = ^EMAIL:(.*?)\n
FORMAT = Emails::$1

As you can see i tried both types of supported regex's in the transforms.conf file.

Any ideas?

1 Solution

ziegfried
Influencer

You can use the MV_ADD option in your transforms stanza:

[get-emails]
REGEX = EMAIL:(\S+)
FORMAT = Emails::$1
MV_ADD = true

View solution in original post

ziegfried
Influencer

You can use the MV_ADD option in your transforms stanza:

[get-emails]
REGEX = EMAIL:(\S+)
FORMAT = Emails::$1
MV_ADD = true

lohans
Explorer

Now that was easy! Thanks a million! 😉

0 Karma
Get Updates on the Splunk Community!

AppDynamics Summer Webinars

This summer, our mighty AppDynamics team is cooking up some delicious content on YouTube Live to satiate your ...

SOCin’ it to you at Splunk University

Splunk University is expanding its instructor-led learning portfolio with dedicated Security tracks at .conf25 ...

Credit Card Data Protection & PCI Compliance with Splunk Edge Processor

Organizations handling credit card transactions know that PCI DSS compliance is both critical and complex. The ...