Splunk Search

Regex: How to extract multiple fields with the same name?

olheiser01
New Member

Here is an example of the log I am dealing with:

<123 Main St>
<456 Center St.>

I'd like to simply extract the names and addresses as seen below, but I'm not sure how to deal with the fields having the same name for different people.

Sender Name    Sender Address     Receiver Name     Receiver Address
John Doe       123 Main St.       Jane Doe          456 Center St.
0 Karma

somesoni2
Revered Legend

Try like this

your base search | rex "\<send-customer\>\<full-name\>\<(?<SenderName>[^\>]+)\>\<\/full-name\>\<address\>\<(?<SenderAddress>[^\>]+)\>\<\/address\>\<\/send-customer\>"  | rex "\<receive-customer\>\<full-name\>\<(?<ReceiverName>[^\>]+)\>\<\/full-name\>\<address\>\<(?<ReceiverAddress>[^\>]+)\>\<\/address\>\<\/receive-customer\>"
0 Karma

richgalloway
SplunkTrust
SplunkTrust

I think we need more information. Your sample log has only an address so how is it identified as Sender Address or Receiver Address? Where do the names come from?

---
If this reply helps you, Karma would be appreciated.
0 Karma

olheiser01
New Member

There was definitely a typo some where. Here is what I meant to ask:

Here is an example of the log I am dealing with:

<send-customer><full-name><John Doe></full-name><address><123 Main St></address></send-customer>
<receive-customer><full-name><Jane Doe></full-name><address><456 Center St.></address></receive-customer>

I'd like to simply extract the names and addresses as seen below but Im not sure how to deal with the fields having the same name for different people.

**Sender Name    Sender Address        Receiver Name     Receiver Address**
John Doe           123 Main St.               Jane Doe                456 Center St.
0 Karma

richgalloway
SplunkTrust
SplunkTrust

The spath command will create fields with different names: send-customer.address, receive-customer.address, etc. However, spath doesn't work with your data since the values look like tags with angle brackets around them.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...