Re: Rex multiple strings from field query

stephenreece · ‎07-11-2019

Morning all,

I hope this is an easy one where i am just missing some login somewhere.

I have a field called errors that houses data that looks like this:

*Fieldname *

errors

String
56005:16;69002:1;56009:3958

This is indicating that a single event can incur multiple errors and i need to pull all the error codes separately (codes are always numerical and always 5 digits long).

The colon and digits after indicate count volumes which are irrelevant and the delimiter is always a semi-colon.

This seems quite an easy pull as the rex is simply "(\d\d\d\d\d):"

However i can't get splunk to spit anything out at all (and ive tried lots of variations).

Ideally i want to stats value the result by user so i end up with something like the below:

user1 56005
56002
69009
User2 66095
56077

any ideas?:

renjith_nair · ‎07-11-2019

@stephenreece

Try

|rex field=errors max_match=0 "(?<Errors>\d{5}):"

---
What goes around comes around. If it helps, hit it with Karma 🙂

stephenreece · ‎07-11-2019

current search = | rex field=errors "(?(\d\d\d\d\d):)"

stephenreece · ‎07-11-2019

this will give back the first rex entry only, so i need a way to reproduce and collect an unlimited amount of REX groups.. (each string may contain from 1 to 1000 codes).

Rex multiple strings from field query

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

Join the Conversation