Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

RegEx extract multiple values per field

splunkbeginner2
Path Finder
‎07-21-2014 03:22 PM

Hello,
I am right now trying to reed Lotus Notes (to be coorect: Domincos console.log-file) Events. One of my problems I have, is the following:
(its not connected to Notes especially, but people should know, that at least someone tried it.)

Sometime I have an ID, but it can occur once, or comma separated twice. What can I do to get this value into two values for one field (I am using the search-time extraction).
e.g.
...[%Timestamp%] Message ABC123 delivered....
...[%Timestamp%] Message ABC129,ABC130 delivered....

My current RegEx extraction for the field is:
... (?P[\dA-Z]+) ...//some other fields exist before and afterwards

but how can I make it detect things twice.. ?

Thanks for your support!

Regards,
Xantor!

Tags (2)
0 Karma
Reply

Suda
Communicator
‎07-21-2014 05:26 PM

Hello,

I think you may have several solutions. I'd like to explain my idea.

I will change regex configuration.

... (?P<messageid>[0-9A-Z,]+) ...

And I will add the following search commands after your search command.

<your search> | makemv delim="," messageid

The field "messageid" will be multiple value field if it has 2 and more contents.

And if you add "| mvexpand messageid", you will get 2 events; ABC129, ABC130.

I hope it helps you.

Thank you.

0 Karma
Reply

splunkbeginner2
Path Finder
‎07-21-2014 05:37 PM

Hey, that sounds interesting. I'll give it a try. mvexpand does only split the event into two, as soon as I search for it, correct?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...