Rex multiple strings from field query

stephenreece · ‎07-11-2019

Morning all,

I hope this is an easy one where i am just missing some login somewhere.

I have a field called errors that houses data that looks like this:

*Fieldname *

errors

String
56005:16;69002:1;56009:3958

This is indicating that a single event can incur multiple errors and i need to pull all the error codes separately (codes are always numerical and always 5 digits long).

The colon and digits after indicate count volumes which are irrelevant and the delimiter is always a semi-colon.

This seems quite an easy pull as the rex is simply "(\d\d\d\d\d):"

However i can't get splunk to spit anything out at all (and ive tried lots of variations).

Ideally i want to stats value the result by user so i end up with something like the below:

user1 56005
56002
69009
User2 66095
56077

any ideas?:

renjith_nair · ‎07-11-2019

@stephenreece

Try

|rex field=errors max_match=0 "(?<Errors>\d{5}):"

Happy Splunking!

stephenreece · ‎07-11-2019

current search = | rex field=errors "(?(\d\d\d\d\d):)"

stephenreece · ‎07-11-2019

this will give back the first rex entry only, so i need a way to reproduce and collect an unlimited amount of REX groups.. (each string may contain from 1 to 1000 codes).

Rex multiple strings from field query

Build Scalable Security While Moving to Cloud - Guide From Clayton Homes

Mission Control | Explore the latest release of Splunk Mission Control (2.3)

Cloud Platform | Migrating your Splunk Cloud deployment to Python 3.7