Solved: Repeating regex to fill multivalue field

Derek · ‎07-02-2010

Ok. Not having a spectacular regex day...

I have this:

Recipients: joe.smith@mig.mydomain.com, jane.smith@mig.mydomain.com, bob.smith@mig.mydomain.com,

In props.conf I have:

[mySource]
EXTRACT-recipients = (?i)Recipients: (?P<recipients>.*, )
REPORT-to = myTo

and in transforms.conf I have:

[myTo]
REGEX = (?P<to>.*?[,])
SOURCE_KEY = recipients
MV_ADD = true

It sorta works, but I'm getting each to value twice, and how do I drop the trailing ',' at the end.

Thanks!!

Ledion_Bitincka · ‎07-02-2010

You can try the following definition for myTo - it should get rid of the trailing commas, however I was not able to get double values. Can you post a complete sample event and all transfroms that extract a field named 'to'?

[myTo]
REGEX = (?P<to>[^,]+)[,]
SOURCE_KEY = recipients
MV_ADD = true

View solution in original post

Ledion_Bitincka · ‎07-02-2010

You can try the following definition for myTo - it should get rid of the trailing commas, however I was not able to get double values. Can you post a complete sample event and all transfroms that extract a field named 'to'?

[myTo]
REGEX = (?P<to>[^,]+)[,]
SOURCE_KEY = recipients
MV_ADD = true

Derek · ‎07-02-2010

The regex worked great. Thanks! I sorted out the issue with the duplicates. It was the way I was using extract to reload my props/transforms.

Repeating regex to fill multivalue field

Advanced Splunk Data Management Strategies

Uncovering Multi-Account Fraud with Splunk Banking Analytics

Secure Your Future: A Deep Dive into the Compliance and Security Enhancements for the ...