Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

RegEx extract multiple values per field

splunkbeginner2
Path Finder
‎07-21-2014 03:22 PM

Hello,
I am right now trying to reed Lotus Notes (to be coorect: Domincos console.log-file) Events. One of my problems I have, is the following:
(its not connected to Notes especially, but people should know, that at least someone tried it.)

Sometime I have an ID, but it can occur once, or comma separated twice. What can I do to get this value into two values for one field (I am using the search-time extraction).
e.g.
...[%Timestamp%] Message ABC123 delivered....
...[%Timestamp%] Message ABC129,ABC130 delivered....

My current RegEx extraction for the field is:
... (?P[\dA-Z]+) ...//some other fields exist before and afterwards

but how can I make it detect things twice.. ?

Thanks for your support!

Regards,
Xantor!

Tags (2)
0 Karma
Reply

Suda
Communicator
‎07-21-2014 05:26 PM

Hello,

I think you may have several solutions. I'd like to explain my idea.

I will change regex configuration.

... (?P<messageid>[0-9A-Z,]+) ...

And I will add the following search commands after your search command.

<your search> | makemv delim="," messageid

The field "messageid" will be multiple value field if it has 2 and more contents.

And if you add "| mvexpand messageid", you will get 2 events; ABC129, ABC130.

I hope it helps you.

Thank you.

0 Karma
Reply

splunkbeginner2
Path Finder
‎07-21-2014 05:37 PM

Hey, that sounds interesting. I'll give it a try. mvexpand does only split the event into two, as soon as I search for it, correct?

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...