Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Two multivalue fields needed

wkassel
New Member
‎07-26-2017 11:29 AM

Hi - I need to extract two multivalue fields from each event. Let's say the strings are "AAA-" and "BBB-". Each string is followed by a number after the hyphen. An event will have one or both of these strings and possibly multiples of each, hence multivalue. I can pipe the search to a rex command (e.g. |rex max_match=0 "(?AAA-[0-9]+)") which gets me the multivalues of AAA- for each event but how can I include BBB- if it exists in the event as well, or vice versa ?

Thanks,
W

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎07-26-2017 11:45 AM

If you want use rex to match either of two strings, use a '|'. This string should match either "AAA-1" or "BBB-1".

| rex max_match=0  "(?<foo>(?:AAA|BBB)-[0-9]+)"

You can use regex101.com to test possible regex strings against sample data.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎07-26-2017 11:45 AM

If you want use rex to match either of two strings, use a '|'. This string should match either "AAA-1" or "BBB-1".

| rex max_match=0  "(?<foo>(?:AAA|BBB)-[0-9]+)"

You can use regex101.com to test possible regex strings against sample data.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

wkassel
New Member
‎07-26-2017 12:15 PM

Brilliant! I was trying to get two multivalue fields extracted but no reason they can't be in one field in this case. Great idea! Thank you.

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎07-27-2017 04:31 AM

If your problem is solved, please accept the answer to help future readers.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  &#x1f680; Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Feel the Splunk Love: Real Stories from Real Customers

Hello Splunk Community,    What’s the best part of hearing how our customers use Splunk? Easy: the positive ...

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...