Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Search for Multiples Values and extract them into a single field?

ito27
New Member
‎03-26-2013 08:07 AM

Can you please help me to figure out how can I extract multiple values in a source and extract them into a single field?

For example, how can I make these two values that I am searching to be extracted to a field named "web_brwoser":

sourcetype="iis-369" | rex field=_raw "(?P\W\w\w\w\w\w\w\W\d\d\d\W\d\d\s\d\d\d),(?:\W\w\w\w\w\W\d\W\d)"

Do I have to type "AND" between the two values? I tried it already and it did not work.
Also, I tried to type "|" = "or" and it don't work either.

Tags (1)
0 Karma
Reply

bjoernjensen
Contributor
‎03-26-2013 10:37 AM

Hey there,

this depends a little on how you would like those values to be shown. Assuming you would like to have a multi value field something like this should work:

sourcetype="iis-369" | rex field=_raw "(?WwwwwwwWdddWddsddd)" | rex field=_raw "(?WwwwwWdWd)" | eval web_browser = field1 + ":" + field2 | makemv delim=":" web_browser | table _time web_browser _raw

This runs rex twice and builds the mv field 'web_browser' using ':' as separator. You should of course be sure your rex does not match that delimiter.

0 Karma
Reply

ito27
New Member
‎03-26-2013 10:20 AM

How can I search for all the values needed and extract them in different fields at the same time? So, the command log get saved by the time I work with the second field. Because there is where my problem come up doing everything at once. For example I type AND or OR in the search bar but it gave me an error because I have duplicated commands.

0 Karma
Reply

jstockamp
Communicator
‎03-26-2013 08:19 AM

To combine two fields you can use "eval combined_field = field1 ."-". field2" - that will combine them with a hyphen between.

0 Karma
Reply

bjoernjensen
Contributor
‎03-26-2013 10:41 AM

Sample data would be very useful. I guess there should be some (regex) way to match "all values needed" inspecting the vicinity.

0 Karma
Reply

jstockamp
Communicator
‎03-26-2013 10:31 AM

I'm having a hard time understanding what you're trying to do. Maybe posting some sample data would be useful. You can easily extract multiple fields in a single rex command.

Reply

ito27
New Member
‎03-26-2013 10:20 AM

How can I search for all the values needed and extract them in different fields at the same time? So, the command log get saved by the time I work with the second field. Because there is where my problem come up doing everything at once. For example I type AND or OR in the search bar but it gave me an error because I have duplicated commands.

0 Karma
Reply
Get Updates on the Splunk Community!

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...

Adoption of Infrastructure Monitoring at Splunk

  Splunk's Growth Engineering team showcases one of their first Splunk product adoption-Splunk Infrastructure ...

Modern way of developing distributed application using OTel

Recently, I had the opportunity to work on a complex microservice using Spring boot and Quarkus to develop a ...