Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Regular Expression to extract the below values
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, One of my value in table is being passed as an Boolean expression as below
(assignment_group = 1213App_Development1 OR assignment_group = App-Testing OR assignment_group = App Support OR assignment_group = App:Support OR assignment_group = App&$+*Support assignment_group = AppSupport)
I'm trying to use the | makemv tokenizer= to make the above to be extracted as multivalues as below
1213App_Developmen1
App-Testing
App Support
App:Support
App&$+*Support
AppSupport
And then use mxexpand to appy other table values to the expanded fields.
Can anyone help me with the Regex to do so.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Like this:
|makeresults
| eval _raw="(assignment_group = 1213App_Development1 OR assignment_group = App-Testing OR assignment_group = App Support OR assignment_group = App:Support OR assignment_group = App&$+*Support assignment_group = AppSupport)"
| rex max_match=0 "assignment_group\s*=\s*(?<assignment_group>[^\s\)]+)"
Avoid the use of mvexpand; it does not scale well and will cause false results. All of the *stats commands are multivalue-aware and will do the right thing so just leave it as multivalue.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Like this:
|makeresults
| eval _raw="(assignment_group = 1213App_Development1 OR assignment_group = App-Testing OR assignment_group = App Support OR assignment_group = App:Support OR assignment_group = App&$+*Support assignment_group = AppSupport)"
| rex max_match=0 "assignment_group\s*=\s*(?<assignment_group>[^\s\)]+)"
Avoid the use of mvexpand; it does not scale well and will cause false results. All of the *stats commands are multivalue-aware and will do the right thing so just leave it as multivalue.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Many Thanks @woodcock , extraction is working as expected expect if there is a white space between the values.. included am additional \s.
| rex max_match=0 "assignment_group\s*=\s*(?\s[^OR)]+)"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try assignment_group\s=\s([^\s]+).
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @aswin_asok,
please try this regex:
| rex "assignment_group = (?<assignment_group>[^OR]*)"
that you can test at https://regex101.com/r/uKxTe4/1
Ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Splunk Community Badges!
How to find the worst searches in your Splunk environment and how to fix them
Share Your Feedback: On Admin Config Service (ACS)!
