Multiple rex commands no longer works in Fast/Smar... - Page 2

mattiaslindblom · ‎06-12-2017

In Splunk 6.6.1, it seems like multiple rex commands with the same field name does no longer work in Fast or Smart mode, if it's followed by for example stats or table.

I want to rex the words "please", "extract" and "me":

index=test please_extract_me
| rex "(?<my_field>.*)_extract_me"
| rex "please_(?<my_field>.*)_me"
| rex "please_extract_(?<my_field>.*)"
| stats count by my_field

Usually, regardless of what search mode was used, I would/should get three lines as result. Now I have to select Verbose mode to get it to work; in Fast or Smart mode, only the last rex works and will show up in the count.

One way around this is apparently by doing this, as if the different rex's would create multiple fields with the same name instead of one field with multiple values:

index=test please_extract_me
| rex "(?<my_field>.*)_extract_me"
| rex "please_(?<my_field>.*)_me"
| rex "please_extract_(?<my_field>.*)"
| fields *
| stats count by my_field

Anyone else experiencing this?

Multiple rex commands no longer works in Fast/Smart mode?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms