Solved: Multiple Values per Event - transforms.conf regex

lohans · ‎05-13-2011

I am trying to pick out all the Email addresses from the sample data below:

USER:Peter Pan EMAIL:email@email.com EMAIL:email1@email.com EMAIL:email2@email.com EMAIL:email3@email.com EMAIL:email4@email.com EMAIL:email5@email.com USER:Bob Scott EMAIL:email@email.com EMAIL:email1@email.com EMAIL:email2@email.com EMAIL:email3@email.com EMAIL:email4@email.com EMAIL:email5@email.com USER:Tomas Uncle EMAIL:email@email.com EMAIL:email1@email.com EMAIL:email2@email.com EMAIL:email3@email.com EMAIL:email4@email.com EMAIL:email5@email.com

Now this regex with rex works fine and picks up all the email addresses

rex field=_raw max_match=15 "EMAIL:(?<test>.*?)\n"

But how do i specify in transforms.conf to match multiple times??

There is no max_match option for transforms.conf
Here is my transforms.conf

[get-emails] REGEX = ^EMAIL:(.*?)\n FORMAT = Emails::$1

As you can see i tried both types of supported regex's in the transforms.conf file.

Any ideas?

ziegfried · ‎05-13-2011

You can use the MV_ADD option in your transforms stanza:

[get-emails]
REGEX = EMAIL:(\S+)
FORMAT = Emails::$1
MV_ADD = true

View solution in original post

ziegfried · ‎05-13-2011

You can use the MV_ADD option in your transforms stanza:

[get-emails]
REGEX = EMAIL:(\S+)
FORMAT = Emails::$1
MV_ADD = true

lohans · ‎05-13-2011

Now that was easy! Thanks a million! 😉

Multiple Values per Event - transforms.conf regex

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!